Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts)

["Jason Haar" <Jason.Haar () trimble co nz>]

Hmm - I can't find a bug reporting system as such - so I guess this just
goes here?

In the past week there have been 4(?) people all report snort-2.2.0
appears to be merging separate data streams together into one alert (and I
assume that means was tracking them as one stream in the first place).
Just tonight I noticed an alert on one of my systems about a "NON-RFC HTTP
DELIMITER" which is nothing of the kind - it's around 3 separate HTTP
transactions that have been merged together (8134 bytes) - not end-to-end
either (there's a "\r\nr: unknown\r\n" in the middle of it that would have
actually been a "\r\nX-Forwarded-For: unknown\r\n" from our proxy server -
but has been "corrupted").

All the other email reports seem to be HTTP-related (which implies
http_inspect?), but I have seen it happen to both HTTP and SSH traffic -
which more implies stream4.

Has anyone on the Snort team picked up on this "noise" yet? :-)

Thanks!

Jason


-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users