[Snort-sigs] I think there's something wrong when snort tries to reassemble TCP stream

Matt Kettler mkettler at ...189...
Mon Jul 21 09:14:27 EDT 2003


At 02:11 PM 7/21/2003 +0800, =?gb2312?B?1Pgg0KHBog==?= wrote:

>    I think there's something wrong when snort tries to reassemble TCP 
> stream in StoreStreamPkt() function in spp_stream4.c. In 
> StoreStreamPkt(), if it finds out the packet  we just receive 
> is  un-ack'd, then it looks for this packet in the tree like this:

Ok, I have to ask.. what do these posts have to do with signatures?

Snort-sigs has a subscriber base that is interested in analyzing packet 
traces of worms, trojans and attack tools in order to write new snort 
signatures to catch them. This has very little to do with how the internal 
workings of stream4 are written. Perhaps this should be on snort-users or 
snort-devel?

In the future if you don't get a reply, I'd suggest trying to figure out 
why rather than merely reposting the message.





More information about the Snort-sigs mailing list