Snort mailing list archives

BUG in stream4 reassemble

From: Peng Yong <ppyy () staff cn99 com>
Date: Mon, 01 Apr 2002 17:25:10 +0800


we use snort Version 1.8.4 (Build 99) to log all the POP3 packets of our
private network. and find there are some duplicate packet when we enable stream4_reassemble.

if we disable stream4_reassemble, it works ok.

the duplicate packet has a feture. The ID of Ip header is always 0. here
is a example:

04/01-16:54:22.995507 202.102.2.83:110 -> 192.168.0.99:2979
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:174

is this a BUG of stream4_reassemble?


here is our snort.conf:

preprocessor frag2
preprocessor stream4: keepstats
preprocessor stream4_reassemble: both, ports 110
var MY_NET [192.168.0.0/24]
log tcp any 110 <> $MY_NET any

and the loged packets in attachment


--
Peng Yong                     Email: ppyy () staff cn99 com
Bentium Ltd.                  URL: http://www.cn99.com

Attachment: log
Description:

Current thread:

BUG in stream4 reassemble Peng Yong (Apr 01)
- Re: BUG in stream4 reassemble Chris Green (Apr 01)
- <Possible follow-ups>
- BUG in stream4 reassemble Peng Yong (Apr 02)
  - Re: BUG in stream4 reassemble Chris Green (Apr 02)