[Snort-users] Incorrect payload on acid alerts
Dirk_Geschke at ...1344...
Tue Nov 9 05:59:04 EST 2004
> I have a snort version 2.1.0 installed a few month now and it worked fine.
> Alerts output is to mysql and acid.
> Recently I added a Microsoft sms server which createstons of alerts
> For example : WEB-MISC http directory traversal
> The problem is when I look at the payload I can see the beginning of the
> payload which was actually sent to the sms server and the rest completely
> different sessions (parts of email messages , part of telnet sessions) the
> alert is generated by the wrong part of the payload.
> Can anyone help me ?
yes, upgrade to snort-2.1.3 or better to snort-2.2.0.
There were some bugs within stream4 which caused a mixup of parts
from other sessions.
More information about the Snort-users