Snort mailing list archives
Stream reassembly/statefull inspection errors
From: Alexander Hoogerhuis <alexh () ihatent com>
Date: 28 Oct 2001 22:45:53 +0100
I run snort locally on my Linux box (our company just got the comparable function of a chief security officer, with an penchant for real toys and tools. Hi, Per, I know you read this list. :] ). Since I upgraded my box yesterday I have had my logs full of these warnings: Oct 28 22:35:00 myhost snort[964]: [111:4:1] spp_stream4: WINDOW \ VIOLATION detection: x.x.x.x:32896 -> y.y.y.y:80 I run on RedHat 7.2 and linux kernel version 2.4.13-ac2 (with Robert M. Love's preempt-patch if it matters) and get this against pretty mnuch all mchines I talk to. HOME_NET is defined to only 127.0.0.1/8 as I move a lot around and figured I may as well define everything as interesting traffic :) As far as I can see I get this warning talking to anything out there, so either something is wrong in my IP stack, or snort gets this wrong, any takers with views? mvh, A -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stream reassembly/statefull inspection errors Alexander Hoogerhuis (Oct 28)