[Snort-devel] Re: [Snort-sigs] Local CodeRed infection

Chris Green cmg at ...435...
Wed Jan 22 10:06:05 EST 2003


Bamm Visscher <rvissche at ...1206...> writes:

> Can you give the build number you are using? Looks like you have found a
> good example of a known bug in the stream4 preprocessor where packets
> from one stream mistakenly get injected into another stream. I see this
> all the time too. In short, this rule never should of triggered as an
> incoming cmd.exe (probably Nimda) got intermixed with legitimate
> outgoing HTTP connection. Maybe Chris Green can give a more detailed
> explanation of what is happening as I know he is working on a solution.
>

It should be fixed in current CVS.  There were a couple problems with
flushing behaviors as well as one with stale uri buffers.
-- 
Chris Green <cmg at ...435...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-sigs mailing list