[Snort-users] snort locked into using one signature

Spencer Anderson sanderson at ...11591...
Wed Apr 7 12:42:03 EDT 2004

Over the past week a strange thing has happened twice on my snort
sensor.  Traffic that is normally logged under different signatures has
all been logged with the same signature, which isn't even correct.  A
generic example is:

Pkt1 normally triggers Sig1
Pkt2 normally triggers Sig2
Pkt3 normally triggers Sig3

At times when only packets of type Pkt1 and Pkt2 are passing by the
sensor, only Sig3 is getting logged in the event table.  If I restart
snort it goes back to working the correctly.  It seems to me like Pkt3
is passing the sensor and occasionally snort is getting locked up and
starts thinking every time there is a signature match, it should place
Sig3 as the offending signature in event table in my database.

It seems snort is still comparing the packets against the signatures
correctly because Sig3 is for TCP traffic and Pkt1 is ICMP and Pkt2 is
UDP and the correct header information is being put into the database
for each cid, it just decides to put Sig3 in event.signature for every
different signature match snort detects.

Both times this has happened to me Sig3 has been a different signature,
so I don't think it's the rule definition itself.

I am running Snort Version 2.1.0 (Build 9) & MySQL Ver 4.0.17 on Red Hat

More information about the Snort-users mailing list