Snort mailing list archives
Re: snort mixes multiple (unrelated) payloads into one alert
From: Jason <security () brvenik com>
Date: Sun, 23 Jul 2006 23:34:10 -0400
Frank Knobbe wrote:
On Fri, 2006-07-21 at 22:07 +0300, nikns wrote:http://marc.theaimsgroup.com/?l=snort-users&m=114790291424807&w=2Yeah, great, it zero's the crap out. Still doesn't explain *why* the crap shows up in the first place. It's not a missing packet, it's a jumbled stream. Zero'ing it sort like putting a band-aid on it without discovering and fixing the real problem.
"This will cause Stream4 to zero out the memory of the rebuilt packet before copying in the new data. So, when packets are missing from the middle of the rebuilt packet, you'll get 0x00 in those bytes, rather than whatever was there from the previous rebuild." The problem is packet loss. A single buffer is used for reassembly. If you are missing packets when reassembly is done then the old data is still in the gaps...
Cheers, Frank ------------------------------------------------------------------------ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort mixes multiple (unrelated) payloads into one alert Eric J. Bowser (Jul 21)
- Re: snort mixes multiple (unrelated) payloads into one alert Gentoo-Wally (Jul 21)
- Re: snort mixes multiple (unrelated) payloads into one alert nikns (Jul 21)
- Re: snort mixes multiple (unrelated) payloads into one alert Frank Knobbe (Jul 21)
- Re: snort mixes multiple (unrelated) payloads into one alert Jason (Jul 23)
- Re: snort mixes multiple (unrelated) payloads into one alert Jason Haar (Jul 23)
- Re: snort mixes multiple (unrelated) payloads into one alert Frank Knobbe (Jul 24)
- Re: snort mixes multiple (unrelated) payloads into one alert Jason Brvenik (Jul 24)
- Re: snort mixes multiple (unrelated) payloads into one alert Martin Roesch (Jul 24)
- Re: snort mixes multiple (unrelated) payloads into one alert Eric J. Bowser (Jul 24)
- Re: snort mixes multiple (unrelated) payloads into one alert Jason Brvenik (Jul 24)
- Re: snort mixes multiple (unrelated) payloads into one alert nikns (Jul 21)
- Re: snort mixes multiple (unrelated) payloads into one alert Gentoo-Wally (Jul 21)