Snort mailing list archives
Re: Incorrect payload on acid alerts
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 10 Nov 2004 15:09:24 +1300
Joshua Berry wrote:
Several times I have seen a similar issue for HTTP sessions where multiple HTTP connections are shown for own alert. It appears that several sessions had been combined into a single snort alert and many of these sessions did not match any of the signatures.
I hate to do a "me too" - but, me too.I was sitting on it until I could come up with something more substantial to help find the problem, but I've seen snort trigger a "EXPLOIT ssh CRC32 overflow NOOP" between two hosts I control, and yet the packet captured by snort was actually HTTP headers bunged onto the end of some binary data.
It wasn't SSH data, it wasn't HTTP data, it was...? Packet length was 2630 - which makes me think there's still a bug in how snort aggregates packets together into flows
This was snort-2.2.0 under Fedora Core 2 Jason ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Incorrect payload on acid alerts snortman (Nov 09)
- Re: Incorrect payload on acid alerts Dirk Geschke (Nov 09)
- Re: Incorrect payload on acid alerts Alex Butcher, ISC/ISYS (Nov 09)
- <Possible follow-ups>
- RE: Incorrect payload on acid alerts Joshua Berry (Nov 09)
- Re: Incorrect payload on acid alerts Jason Haar (Nov 09)
- Re: Incorrect payload on acid alerts M. Shirk (Nov 10)
- Re: Incorrect payload on acid alerts Dirk Geschke (Nov 09)