[Snort-users] snort behind TAP & asynchronous_link

Chris Green cmg at ...1935...
Thu Aug 15 04:19:02 EDT 2002


Holger.Woehle at ...2701... writes:

>
> Snort does not recognize the alerts with the flow:to_server,established
> attributes.

Let me take another look at this.  I haven't taken a look at the
asynch state machine since it was added.  It *is* a state machine of
less quality.

The outer features are why we have a beta cycle :)

> I seems to me, that snort does not reassemble the stream.
> If i delete the established attribute snort recognises the alert.
> But then i run into my other problem (please see thread: snort seas no
> fragmented error).

Let me look at it some more. 
-- 
Chris Green <cmg at ...1935...>
"I'm beginning to think that my router may be confused."




More information about the Snort-users mailing list