[Snort-users] data from multiple sessions in one alert/packet

Joel Esler joel.esler at ...1935...
Thu May 18 11:08:12 EDT 2006


Jon,

What type of output module are you using?

Joel

Jon Hart wrote:
> On Thu, May 18, 2006 at 12:52:47AM +0300, nikns wrote:
>> I had identical issue. You are probably dropping packets.
> 
> I am dropping packets:
> 
> May 18 09:35:51 xxxxx snort[2252]: Snort received 216724389 packets 
> May 18 09:35:51 xxxxx snort[2252]:     Analyzed: 215806721(99.577%) 
> May 18 09:35:51 xxxxx snort[2252]:     Dropped: 917668(0.423%) 
> 
>> Short answer is:
>> "There is a config parameter in Stream4 to help address that.
>> On the stream4_reassemble line, add "zero_flushed_packets".
>> This will cause Stream4 to zero out the memory of the
>> rebuilt packet before copying in the new data.  So, when
>> packets are missing from the middle of the rebuilt packet,
>> you'll get 0x00 in those bytes, rather than whatever was
>> there from the previous rebuild." <c> Steven
> 
> That does work, but now I get 0x00's in the missing portions of the
> packet.  This is better, though I'd rather not be dropping any packets
> at all.
> 
> Thanks!
> 
> -jon
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
+---------------------------------------------------------------------+
Joel Esler -- Senior Security Consultant, SFCE - 1-706-627-2101
Sourcefire - Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key -- http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-users mailing list