Snort mailing list archives
Re: snort locked into using one signature
From: James Nonya <slave_tothe_box () yahoo com>
Date: Wed, 7 Apr 2004 13:00:36 -0700 (PDT)
On Wed, 7 Apr 2004 14:40:55 -0500 "Spencer Anderson" <sanderson () clearnorthtech com> wrote:
Over the past week a strange thing has happened
twice on my snort
sensor. Traffic that is normally logged under
different signatures has
all been logged with the same signature, which isn't
even correct. A
generic example is: Pkt1 normally triggers Sig1 Pkt2 normally triggers Sig2 Pkt3 normally triggers Sig3 At times when only packets of type Pkt1 and Pkt2 are
passing by the
sensor, only Sig3 is getting logged in the event
table. If I restart
snort it goes back to working the correctly. It
seems to me like Pkt3
is passing the sensor and occasionally snort is
getting locked up and
starts thinking every time there is a signature
match, it should place
Sig3 as the offending signature in event table in my
database.
It seems snort is still comparing the packets
against the signatures
correctly because Sig3 is for TCP traffic and Pkt1
is ICMP and Pkt2 is
UDP and the correct header information is being put
into the database
for each cid, it just decides to put Sig3 in
event.signature for every
different signature match snort detects. Both times this has happened to me Sig3 has been a
different signature,
so I don't think it's the rule definition itself. I am running Snort Version 2.1.0 (Build 9) & MySQL
Ver 4.0.17 on Red Hat
9.
Spencer, I saw this too sometimes using 2.0.* and 2.1.0. Try upgrading...kinda wild...don't know what causes it. James __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort locked into using one signature Spencer Anderson (Apr 07)
- <Possible follow-ups>
- Re: snort locked into using one signature James Nonya (Apr 07)
- Re: snort locked into using one signature Matt Kettler (Apr 07)