snort locked into using one signature

["Spencer Anderson" <sanderson () clearnorthtech com>]

Over the past week a strange thing has happened twice on my snort
sensor.  Traffic that is normally logged under different signatures has
all been logged with the same signature, which isn't even correct.  A
generic example is:

Pkt1 normally triggers Sig1
Pkt2 normally triggers Sig2
Pkt3 normally triggers Sig3

At times when only packets of type Pkt1 and Pkt2 are passing by the
sensor, only Sig3 is getting logged in the event table.  If I restart
snort it goes back to working the correctly.  It seems to me like Pkt3
is passing the sensor and occasionally snort is getting locked up and
starts thinking every time there is a signature match, it should place
Sig3 as the offending signature in event table in my database.

It seems snort is still comparing the packets against the signatures
correctly because Sig3 is for TCP traffic and Pkt1 is ICMP and Pkt2 is
UDP and the correct header information is being put into the database
for each cid, it just decides to put Sig3 in event.signature for every
different signature match snort detects.

Both times this has happened to me Sig3 has been a different signature,
so I don't think it's the rule definition itself.

I am running Snort Version 2.1.0 (Build 9) & MySQL Ver 4.0.17 on Red Hat
9.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users