Snort mailing list archives
RE: Incorrect payload on acid alerts
From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 9 Nov 2004 08:59:11 -0600
Several times I have seen a similar issue for HTTP sessions where multiple HTTP connections are shown for own alert. It appears that several sessions had been combined into a single snort alert and many of these sessions did not match any of the signatures. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Alex Butcher, ISC/ISYS Sent: Tuesday, November 09, 2004 8:50 AM To: Dirk Geschke; snortman () hotpop com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Incorrect payload on acid alerts --On 09 November 2004 14:58 +0100 Dirk Geschke <Dirk_Geschke () genua de> wrote:
Hi,I have a snort version 2.1.0 installed a few month now and it worked fine. Alerts output is to mysql and acid. Recently I added a Microsoft sms server which createstons of alerts For example : WEB-MISC http directory traversal The problem is when I look at the payload I can see the beginning of
the
payload which was actually sent to the sms server and the rest
completely
different sessions (parts of email messages , part of telnet
sessions)
the alert is generated by the wrong part of the payload. Can anyone help me ?yes, upgrade to snort-2.1.3 or better to snort-2.2.0. There were some bugs within stream4 which caused a mixup of parts from other sessions.
I've seen this in 2.2.0, also. :-( The checksum has been wrong in these cases. I wasn't sure whether it was caused by a bug in the switch whose ports I'm spanning, or snort, otherwise I'd have reported it before now.
Dirk
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_idU88&alloc_id065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Incorrect payload on acid alerts snortman (Nov 09)
- Re: Incorrect payload on acid alerts Dirk Geschke (Nov 09)
- Re: Incorrect payload on acid alerts Alex Butcher, ISC/ISYS (Nov 09)
- <Possible follow-ups>
- RE: Incorrect payload on acid alerts Joshua Berry (Nov 09)
- Re: Incorrect payload on acid alerts Jason Haar (Nov 09)
- Re: Incorrect payload on acid alerts M. Shirk (Nov 10)
- Re: Incorrect payload on acid alerts Dirk Geschke (Nov 09)