RE: Problems with snort-2.1.0

[Andreas Östling <andreaso () it su se>]

On Wed, 14 Jan 2004, Daniel J. Roelker wrote:

> Any other suggestions that users want in 2.1.1 for http_inspect or
> otherwise, please let us know.

Unfortunately I've not had a chance to play much with http_inspect yet so 
forgive me if I'm lost here, but one thing seems a bit strange to me.

For clients that send multiple requets in the same tcp stream, two alerts 
will be generated for the same request. First for the actual packet 
containing the bad request and then for the rebuilt client stream which 
obviously contains the same request again among other stuff.

Is this the expected behaviour?
(I have examples with packet dumps if needed)
   
/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users