Snort mailing list archives
BUG in stream4 reassemble
From: Peng Yong <ppyy () staff cn99 com>
Date: Mon, 01 Apr 2002 17:25:10 +0800
we use snort Version 1.8.4 (Build 99) to log all the POP3 packets of our private network. and find there are some duplicate packet when we enable stream4_reassemble. if we disable stream4_reassemble, it works ok. the duplicate packet has a feture. The ID of Ip header is always 0. here is a example: 04/01-16:54:22.995507 202.102.2.83:110 -> 192.168.0.99:2979 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:174 is this a BUG of stream4_reassemble? here is our snort.conf: preprocessor frag2 preprocessor stream4: keepstats preprocessor stream4_reassemble: both, ports 110 var MY_NET [192.168.0.0/24] log tcp any 110 <> $MY_NET any and the loged packets in attachment -- Peng Yong Email: ppyy () staff cn99 com Bentium Ltd. URL: http://www.cn99.com
Attachment:
log
Description:
Current thread:
- BUG in stream4 reassemble Peng Yong (Apr 01)
- Re: BUG in stream4 reassemble Chris Green (Apr 01)
- <Possible follow-ups>
- BUG in stream4 reassemble Peng Yong (Apr 02)
- Re: BUG in stream4 reassemble Chris Green (Apr 02)