Re: stream4 oddity

[Chris Green <cmg () sourcefire com>]

Frank Knobbe <fknobbe () knobbeits com> writes:

> Guys,
>
> does anyone else notice weird things when stream4 is enabled?
>
> The system I noticed this on is running Snort 1.8.6 (build 107) on
> NT4sp6. I have a custom alert type configured, let's call it custom.
> Custom can call any output_alert, it doesn't matter for this issue. 
> Without stream4, Snort logs fine to directories, and alerts on both,
> stock alert and the custom alert.
>
> Now I include stream4 with:
> preprocessor stream4: detect_state_problems, timeout 300, detect_scans
> preprocessor stream4_reassemble: both, ports all
>
> Now Snort still logs to directories. The custom alert doesn't fire at
> all. The stock alert still works (although for a while it wasn't event
> alerting to that).

Ok need more specifics here on what traffic, what rule, and how your
rule type is defined.  Rule types are one of the edge cases of snort
that isn't tested very often and needs to be replaced with a cleaner
functionality

Off the top of myhead, there will still be alerts to the default
functionality in addition to your custom ones but shouldn't nuke your
custom ones

> Why should the preprocessor munge the data in such a way that the stock
> alert still works, but custom alert types don't? Has anyone else noticed
> a behavior like this?
>
> Regards,
> Frank

-- 
Chris Green <cmg () sourcefire com>
"I'm beginning to think that my router may be confused."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users