[Snort-users] Incorrect payload on acid alerts

Joshua Berry jberry at ...11848...
Tue Nov 9 07:00:07 EST 2004


Several times I have seen a similar issue for HTTP sessions where
multiple HTTP connections are shown for own alert.  It appears that
several sessions had been combined into a single snort alert and many of
these sessions did not match any of the signatures.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Alex
Butcher, ISC/ISYS
Sent: Tuesday, November 09, 2004 8:50 AM
To: Dirk Geschke; snortman at ...8908...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Incorrect payload on acid alerts



--On 09 November 2004 14:58 +0100 Dirk Geschke <Dirk_Geschke at ...1344...> 
wrote:

> Hi,
>
>> I have a snort version 2.1.0 installed a few month now and it worked
>> fine.
>>
>> Alerts output is to mysql and acid.
>>
>> Recently I added a Microsoft sms server which createstons of alerts
>>
>> For example : WEB-MISC http directory traversal
>>
>> The problem is when I look at the payload I can see the beginning of
the
>> payload which was actually sent to the sms server and the rest
completely
>> different sessions (parts of email messages , part of telnet
sessions)
>> the alert is generated by the wrong part of the payload.
>>
>> Can anyone help me ?
>
> yes, upgrade to snort-2.1.3 or better to snort-2.2.0.
>
> There were some bugs within stream4 which caused a mixup of parts
> from other sessions.

I've seen this in 2.2.0, also. :-(

The checksum has been wrong in these cases.

I wasn't sure whether it was caused by a bug in the switch whose ports
I'm spanning, or snort, otherwise I'd have reported it before now.

> Dirk

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list