Snort mailing list archives
Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts)
From: "Jason Haar" <Jason.Haar () trimble co nz>
Date: Sat, 13 Nov 2004 21:54:51 +1300 (NZDT)
Hmm - I can't find a bug reporting system as such - so I guess this just goes here? In the past week there have been 4(?) people all report snort-2.2.0 appears to be merging separate data streams together into one alert (and I assume that means was tracking them as one stream in the first place). Just tonight I noticed an alert on one of my systems about a "NON-RFC HTTP DELIMITER" which is nothing of the kind - it's around 3 separate HTTP transactions that have been merged together (8134 bytes) - not end-to-end either (there's a "\r\nr: unknown\r\n" in the middle of it that would have actually been a "\r\nX-Forwarded-For: unknown\r\n" from our proxy server - but has been "corrupted"). All the other email reports seem to be HTTP-related (which implies http_inspect?), but I have seen it happen to both HTTP and SSH traffic - which more implies stream4. Has anyone on the Snort team picked up on this "noise" yet? :-) Thanks! Jason ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts) Jason Haar (Nov 13)
- <Possible follow-ups>
- FW: Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts) snortman (Nov 13)