[Snort-users] data from multiple sessions in one alert/packet

Jon Hart jhart at ...8039...
Thu May 18 09:39:12 EDT 2006


On Thu, May 18, 2006 at 12:52:47AM +0300, nikns wrote:
> I had identical issue. You are probably dropping packets.

I am dropping packets:

May 18 09:35:51 xxxxx snort[2252]: Snort received 216724389 packets 
May 18 09:35:51 xxxxx snort[2252]:     Analyzed: 215806721(99.577%) 
May 18 09:35:51 xxxxx snort[2252]:     Dropped: 917668(0.423%) 

> Short answer is:
> "There is a config parameter in Stream4 to help address that.
> On the stream4_reassemble line, add "zero_flushed_packets".
> This will cause Stream4 to zero out the memory of the
> rebuilt packet before copying in the new data.  So, when
> packets are missing from the middle of the rebuilt packet,
> you'll get 0x00 in those bytes, rather than whatever was
> there from the previous rebuild." <c> Steven

That does work, but now I get 0x00's in the missing portions of the
packet.  This is better, though I'd rather not be dropping any packets
at all.

Thanks!

-jon




More information about the Snort-users mailing list