[Snort-users] Snort 2.6.1.3 ignoring stream4

Paul Melson pmelson at ...11827...
Thu Apr 19 15:12:58 EDT 2007


> If I am not mistaken we got Paul on the path yesterday and all is well
now. I wil let him provide 
> details if he feels it appropriate.

The culprit was a pair of old (circa 2.1) rules that had only a pcre:
pattern.  These combined with changes made to Snort's pcre functionality
between 2.6.0 and 2.6.1 to cause the performance problem.  Adding flow:
conditions to these rules fixed the problem.

If you're interested, I posted some more of the gory details on my blog:
http://pmelson.blogspot.com

PaulM








More information about the Snort-users mailing list