Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Some alerts look like aggregated TCP sessions...

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 27 Aug 2002 18:12:14 -0700 (PDT)
On Wed, 28 Aug 2002, Jason Haar wrote:


I've noticed a certain class of false positives for some time, but have just
realised what was wrong with them.

I'm getting "buffer overflow" class alerts that actually look like they are
several packets in one!


[...snip...]


Snort-1.8.7 under RH Linux, with following options:


[...snip...]

Jason, are you running the 1.8.7 release?  Or is it a 1.8.7 CVS snapshot?  If
it's release, upgrade to the CVS version.  There was a bug in stream4 that
caused packet munging like what you are showing.

Give the CVS version of 1.8.7 a whirl, or even try 1.9 CVS.  1.9's quite
smooth and seems to have a bit more zip to it.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: