[Snort-users] Some alerts look like aggregated TCP sessions...

Erek Adams erek at ...577...
Tue Aug 27 18:13:04 EDT 2002


On Wed, 28 Aug 2002, Jason Haar wrote:

> I've noticed a certain class of false positives for some time, but have just
> realised what was wrong with them.
>
> I'm getting "buffer overflow" class alerts that actually look like they are
> several packets in one!

[...snip...]

> Snort-1.8.7 under RH Linux, with following options:

[...snip...]

Jason, are you running the 1.8.7 release?  Or is it a 1.8.7 CVS snapshot?  If
it's release, upgrade to the CVS version.  There was a bug in stream4 that
caused packet munging like what you are showing.

Give the CVS version of 1.8.7 a whirl, or even try 1.9 CVS.  1.9's quite
smooth and seems to have a bit more zip to it.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list