[Snort-users] Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts)

Jason Haar Jason.Haar at ...294...
Sat Nov 13 00:55:09 EST 2004


Hmm - I can't find a bug reporting system as such - so I guess this just
goes here?

In the past week there have been 4(?) people all report snort-2.2.0
appears to be merging separate data streams together into one alert (and I
assume that means was tracking them as one stream in the first place).
Just tonight I noticed an alert on one of my systems about a "NON-RFC HTTP
DELIMITER" which is nothing of the kind - it's around 3 separate HTTP
transactions that have been merged together (8134 bytes) - not end-to-end
either (there's a "\r\nr: unknown\r\n" in the middle of it that would have
actually been a "\r\nX-Forwarded-For: unknown\r\n" from our proxy server -
but has been "corrupted").

All the other email reports seem to be HTTP-related (which implies
http_inspect?), but I have seen it happen to both HTTP and SSH traffic -
which more implies stream4.

Has anyone on the Snort team picked up on this "noise" yet? :-)

Thanks!

Jason




More information about the Snort-users mailing list