[Snort-users] data from multiple sessions in one alert/packet
jhart at ...8039...
Thu May 18 09:39:12 EDT 2006
On Thu, May 18, 2006 at 12:52:47AM +0300, nikns wrote:
> I had identical issue. You are probably dropping packets.
I am dropping packets:
May 18 09:35:51 xxxxx snort: Snort received 216724389 packets
May 18 09:35:51 xxxxx snort: Analyzed: 215806721(99.577%)
May 18 09:35:51 xxxxx snort: Dropped: 917668(0.423%)
> Short answer is:
> "There is a config parameter in Stream4 to help address that.
> On the stream4_reassemble line, add "zero_flushed_packets".
> This will cause Stream4 to zero out the memory of the
> rebuilt packet before copying in the new data. So, when
> packets are missing from the middle of the rebuilt packet,
> you'll get 0x00 in those bytes, rather than whatever was
> there from the previous rebuild." <c> Steven
That does work, but now I get 0x00's in the missing portions of the
packet. This is better, though I'd rather not be dropping any packets
More information about the Snort-users