[Snort-devel] Re: [Snort-sigs] Local CodeRed infection
cmg at ...435...
Wed Jan 22 10:06:05 EST 2003
Bamm Visscher <rvissche at ...1206...> writes:
> Can you give the build number you are using? Looks like you have found a
> good example of a known bug in the stream4 preprocessor where packets
> from one stream mistakenly get injected into another stream. I see this
> all the time too. In short, this rule never should of triggered as an
> incoming cmd.exe (probably Nimda) got intermixed with legitimate
> outgoing HTTP connection. Maybe Chris Green can give a more detailed
> explanation of what is happening as I know he is working on a solution.
It should be fixed in current CVS. There were a couple problems with
flushing behaviors as well as one with stale uri buffers.
Chris Green <cmg at ...435...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-sigs