Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.6.1.3 ignoring stream4

From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 19 Apr 2007 15:12:58 -0400
If I am not mistaken we got Paul on the path yesterday and all is well

now. I wil let him provide 

details if he feels it appropriate.


The culprit was a pair of old (circa 2.1) rules that had only a pcre:
pattern.  These combined with changes made to Snort's pcre functionality
between 2.6.0 and 2.6.1 to cause the performance problem.  Adding flow:
conditions to these rules fixed the problem.

If you're interested, I posted some more of the gory details on my blog:
http://pmelson.blogspot.com

PaulM





-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: