[Snort-users] Incorrect payload on acid alerts
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Tue Nov 9 06:51:04 EST 2004
--On 09 November 2004 14:58 +0100 Dirk Geschke <Dirk_Geschke at ...1344...>
>> I have a snort version 2.1.0 installed a few month now and it worked
>> Alerts output is to mysql and acid.
>> Recently I added a Microsoft sms server which createstons of alerts
>> For example : WEB-MISC http directory traversal
>> The problem is when I look at the payload I can see the beginning of the
>> payload which was actually sent to the sms server and the rest completely
>> different sessions (parts of email messages , part of telnet sessions)
>> the alert is generated by the wrong part of the payload.
>> Can anyone help me ?
> yes, upgrade to snort-2.1.3 or better to snort-2.2.0.
> There were some bugs within stream4 which caused a mixup of parts
> from other sessions.
I've seen this in 2.2.0, also. :-(
The checksum has been wrong in these cases.
I wasn't sure whether it was caused by a bug in the switch whose ports
I'm spanning, or snort, otherwise I'd have reported it before now.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users