[Snort-users] Incorrect payload on acid alerts

Dirk Geschke Dirk_Geschke at ...1344...
Tue Nov 9 05:59:04 EST 2004


> I have a snort version 2.1.0 installed a few month now and it worked fine.
> Alerts output is to mysql and acid.
> Recently I added a Microsoft sms server which createstons of alerts
> For example : WEB-MISC http directory traversal 
> The problem is when I look at the payload I can see the beginning of the
> payload which was actually sent to the sms server and the rest completely
> different sessions (parts of email messages , part of telnet sessions) the
> alert is generated by the wrong part of the payload.
> Can anyone help me ?

yes, upgrade to snort-2.1.3 or better to snort-2.2.0.

There were some bugs within stream4 which caused a mixup of parts
from other sessions.


More information about the Snort-users mailing list