Stream reassembly/statefull inspection errors

[Alexander Hoogerhuis <alexh () ihatent com>]

I run snort locally on my Linux box (our company just got the
comparable function of a chief security officer, with an penchant for
real toys and tools. Hi, Per, I know you read this list. :] ). Since I
upgraded my box yesterday I have had my logs full of these warnings:

Oct 28 22:35:00 myhost snort[964]: [111:4:1] spp_stream4: WINDOW \
VIOLATION detection: x.x.x.x:32896 -> y.y.y.y:80

I run on RedHat 7.2 and linux kernel version 2.4.13-ac2 (with Robert
M. Love's preempt-patch if it matters) and get this against pretty
mnuch all mchines I talk to.

HOME_NET is defined to only 127.0.0.1/8 as I move a lot around and
figured I may as well define everything as interesting traffic :)

As far as I can see I get this warning talking to anything out there,
so either something is wrong in my IP stack, or snort gets this wrong,
any takers with views? 

mvh,
A

-- 
Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users