[Snort-users] Incorrect payload on acid alerts

Jason Haar Jason.Haar at ...294...
Tue Nov 9 18:10:01 EST 2004


Joshua Berry wrote:

>Several times I have seen a similar issue for HTTP sessions where
>multiple HTTP connections are shown for own alert.  It appears that
>several sessions had been combined into a single snort alert and many of
>these sessions did not match any of the signatures.
>  
>

I hate to do a "me too" - but, me too.

I was sitting on it until I could come up with something more 
substantial to help find the problem, but I've seen snort trigger a 
"EXPLOIT ssh CRC32 overflow NOOP" between two hosts I control, and yet 
the packet captured by snort was actually HTTP headers bunged onto the 
end of some binary data.

It wasn't SSH data, it wasn't HTTP data, it was...? Packet length was 
2630 - which makes me think there's still a bug in how snort aggregates 
packets together into flows

This was snort-2.2.0 under Fedora Core 2

Jason




More information about the Snort-users mailing list