[Snort-users] Stream reassembly/statefull inspection errors

Alexander Hoogerhuis alexh at ...3932...
Sun Oct 28 12:47:01 EST 2001

I run snort locally on my Linux box (our company just got the
comparable function of a chief security officer, with an penchant for
real toys and tools. Hi, Per, I know you read this list. :] ). Since I
upgraded my box yesterday I have had my logs full of these warnings:

Oct 28 22:35:00 myhost snort[964]: [111:4:1] spp_stream4: WINDOW \
VIOLATION detection: x.x.x.x:32896 -> y.y.y.y:80

I run on RedHat 7.2 and linux kernel version 2.4.13-ac2 (with Robert
M. Love's preempt-patch if it matters) and get this against pretty
mnuch all mchines I talk to.

HOME_NET is defined to only as I move a lot around and
figured I may as well define everything as interesting traffic :)

As far as I can see I get this warning talking to anything out there,
so either something is wrong in my IP stack, or snort gets this wrong,
any takers with views? 


Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

More information about the Snort-users mailing list