[Snort-users] Incorrect payload on acid alerts
Jason.Haar at ...294...
Tue Nov 9 18:10:01 EST 2004
Joshua Berry wrote:
>Several times I have seen a similar issue for HTTP sessions where
>multiple HTTP connections are shown for own alert. It appears that
>several sessions had been combined into a single snort alert and many of
>these sessions did not match any of the signatures.
I hate to do a "me too" - but, me too.
I was sitting on it until I could come up with something more
substantial to help find the problem, but I've seen snort trigger a
"EXPLOIT ssh CRC32 overflow NOOP" between two hosts I control, and yet
the packet captured by snort was actually HTTP headers bunged onto the
end of some binary data.
It wasn't SSH data, it wasn't HTTP data, it was...? Packet length was
2630 - which makes me think there's still a bug in how snort aggregates
packets together into flows
This was snort-2.2.0 under Fedora Core 2
More information about the Snort-users