Snort mailing list archives

Re: snort locked into using one signature

From: James Nonya <slave_tothe_box () yahoo com>
Date: Wed, 7 Apr 2004 13:00:36 -0700 (PDT)

On Wed, 7 Apr 2004 14:40:55 -0500
"Spencer Anderson" <sanderson () clearnorthtech com>
wrote:

Over the past week a strange thing has happened

twice on my snort

sensor.  Traffic that is normally logged under

different signatures has

all been logged with the same signature, which isn't

even correct.  A

generic example is:

Pkt1 normally triggers Sig1
Pkt2 normally triggers Sig2
Pkt3 normally triggers Sig3

At times when only packets of type Pkt1 and Pkt2 are

passing by the

sensor, only Sig3 is getting logged in the event

table.  If I restart

snort it goes back to working the correctly.  It

seems to me like Pkt3

is passing the sensor and occasionally snort is

getting locked up and

starts thinking every time there is a signature

match, it should place

Sig3 as the offending signature in event table in my

database.


It seems snort is still comparing the packets

against the signatures

correctly because Sig3 is for TCP traffic and Pkt1

is ICMP and Pkt2 is

UDP and the correct header information is being put

into the database

for each cid, it just decides to put Sig3 in

event.signature for every

different signature match snort detects.

Both times this has happened to me Sig3 has been a

different signature,

so I don't think it's the rule definition itself.

I am running Snort Version 2.1.0 (Build 9) & MySQL

Ver 4.0.17 on Red Hat

9.


Spencer,

I saw this too sometimes using 2.0.* and 2.1.0.  Try
upgrading...kinda wild...don't know what causes it.  

James


__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort locked into using one signature Spencer Anderson (Apr 07)
- <Possible follow-ups>
- Re: snort locked into using one signature James Nonya (Apr 07)
  - Re: snort locked into using one signature Matt Kettler (Apr 07)