Snort mailing list archives
FW: Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts)
From: <snortman () hotpop com>
Date: Sat, 13 Nov 2004 22:20:52 +0200
I also think it's related to stream4. I have seen it happen to my sensor with http_inspect disabled. I am using snort 2.1.0 only updated rules up till now should I update to 2.1.3 or 2.2.0 to fix this problem ? Has anyone seen this happen in version 2.1.3 ? Additional info: 1. I am capturing traffic from 2 VLANS using port span. 2. My traffic is pretty high. Could this be the cause ? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Haar Sent: Saturday, November 13, 2004 10:55 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts) Hmm - I can't find a bug reporting system as such - so I guess this just goes here? In the past week there have been 4(?) people all report snort-2.2.0 appears to be merging separate data streams together into one alert (and I assume that means was tracking them as one stream in the first place). Just tonight I noticed an alert on one of my systems about a "NON-RFC HTTP DELIMITER" which is nothing of the kind - it's around 3 separate HTTP transactions that have been merged together (8134 bytes) - not end-to-end either (there's a "\r\nr: unknown\r\n" in the middle of it that would have actually been a "\r\nX-Forwarded-For: unknown\r\n" from our proxy server - but has been "corrupted"). All the other email reports seem to be HTTP-related (which implies http_inspect?), but I have seen it happen to both HTTP and SSH traffic - which more implies stream4. Has anyone on the Snort team picked up on this "noise" yet? :-) Thanks! Jason ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts) Jason Haar (Nov 13)
- <Possible follow-ups>
- FW: Bug: snort-2.2.0 appears to be merging separate streams (was: Incorrect payload on acid alerts) snortman (Nov 13)