FW: [Snort-users] Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts)

Jason Haar Jason.Haar at ...294...
Sat Nov 13 13:19:05 EST 2004


snortman at ...8908... wrote:

> I also think it's related to stream4. I have seen it happen to my sensor
>with http_inspect disabled.
>
>I am using snort 2.1.0 only updated rules up till now should I update to
>2.1.3 or 2.2.0 to fix this problem ?
>Has anyone seen this happen in version 2.1.3 ?
>
>  
>

I've seen it with 2.2.0

>Additional info:
>1. I am capturing traffic from 2 VLANS using port span. 
>2. My traffic is pretty high.
>
>Could this be the cause ?  
>  
>

Nope. I'm seeing it on my home snort install (yes, sad I know) - very 
low traffic. In fact, it's the fact that it's low traffic that allowed 
me to notice it. Such events happening on our work network are almost 
impossible to notice. 10 events /day at home is a lot easier to parse by 
eye that 2000+/day

Jason




More information about the Snort-users mailing list