[Snort-users] [Snort-devel] 2.9.0.1 performance issue

Russ Combs rcombs at ...1935...
Thu Nov 18 12:07:57 EST 2010


On Thu, Nov 18, 2010 at 11:26 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...11827...>wrote:

> Hello.  To be clear, there is no fix for the "http_inspect\stream
> reassembly" bug at the moment (if there is a fix in SVN, let me know
> so I can take action here b/c this is seriously a non-trivial bug for
> me).  Apparently it is an issue with Stream5 having premature buffer
> flushing issues.
>
> Government/Critical Infrastructure companies take note: this bug leads
> to easy IDS/IPS evasion and this issue, "predates Snort 2.9.0"
> according to Sourcefire.
>

The reassembly fix is in the next release which is going through QA now and
will be released "soon".  Sorry I can't give you an exact date.

Also note that actual evasion depends on the timing of acknowledgements from
target to attacking host and so it isn't always "easy".



>
> -L0rd C.
>
> On Thu, Nov 18, 2010 at 10:09 AM, matan monitz <mmonitz at ...11827...> wrote:
> > sounds related to the http_inspect\stream reassembly bugfix
> >
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101118/da3fb8ee/attachment.html>


More information about the Snort-users mailing list