[Snort-users] snort locked into using one signature

James Nonya slave_tothe_box at ...131...
Wed Apr 7 13:01:13 EDT 2004


On Wed, 7 Apr 2004 14:40:55 -0500
"Spencer Anderson" <sanderson at ...11591...>
wrote:

> Over the past week a strange thing has happened
twice on my snort
> sensor.  Traffic that is normally logged under
different signatures has
> all been logged with the same signature, which isn't
even correct.  A
> generic example is:
> 
> Pkt1 normally triggers Sig1
> Pkt2 normally triggers Sig2
> Pkt3 normally triggers Sig3
> 
> At times when only packets of type Pkt1 and Pkt2 are
passing by the
> sensor, only Sig3 is getting logged in the event
table.  If I restart
> snort it goes back to working the correctly.  It
seems to me like Pkt3
> is passing the sensor and occasionally snort is
getting locked up and
> starts thinking every time there is a signature
match, it should place
> Sig3 as the offending signature in event table in my
database.
> 
> It seems snort is still comparing the packets
against the signatures
> correctly because Sig3 is for TCP traffic and Pkt1
is ICMP and Pkt2 is
> UDP and the correct header information is being put
into the database
> for each cid, it just decides to put Sig3 in
event.signature for every
> different signature match snort detects.
> 
> Both times this has happened to me Sig3 has been a
different signature,
> so I don't think it's the rule definition itself.
> 
> I am running Snort Version 2.1.0 (Build 9) & MySQL
Ver 4.0.17 on Red Hat
> 9.

Spencer,

I saw this too sometimes using 2.0.* and 2.1.0.  Try
upgrading...kinda wild...don't know what causes it.  

James


__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/




More information about the Snort-users mailing list