[Snort-users] False positives due to stream4 issue?

Matt Kettler mkettler at ...4108...
Tue Apr 29 17:33:06 EDT 2003

At 11:50 AM 4/30/2003 +1200, Jason Haar wrote:
>I've noticed that the FPs I'm getting for "SMTP From comment overflow attempt"
>look an entire mail message in one packet. ACID shows me the following:

Are you using snort 2.0? the rule in 2.0 shouldn't have fired on this. It 
should also be looking for a pair of closely spaced ( ) characters after 
the string of <><><><> stuff.

And you're right, it is a re-assembled stream, but the rule is (should be) 
designed to deal with that.

In fact, presenting that data in that fashion is pretty much what stream4 
should be doing (although I'd argue it should have flushed the data through 
each time your server responded. So it should have appeared as if it were 4 
packets, regardless of the actual number of IP layer packets, which could 
be significantly greater).

More information about the Snort-users mailing list