[Snort-users] Some alerts look like aggregated TCP sessions...
erek at ...577...
Tue Aug 27 18:13:04 EDT 2002
On Wed, 28 Aug 2002, Jason Haar wrote:
> I've noticed a certain class of false positives for some time, but have just
> realised what was wrong with them.
> I'm getting "buffer overflow" class alerts that actually look like they are
> several packets in one!
> Snort-1.8.7 under RH Linux, with following options:
Jason, are you running the 1.8.7 release? Or is it a 1.8.7 CVS snapshot? If
it's release, upgrade to the CVS version. There was a bug in stream4 that
caused packet munging like what you are showing.
Give the CVS version of 1.8.7 a whirl, or even try 1.9 CVS. 1.9's quite
smooth and seems to have a bit more zip to it.
More information about the Snort-users