Snort mailing list archives
Re: Some alerts look like aggregated TCP sessions...
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 27 Aug 2002 18:12:14 -0700 (PDT)
On Wed, 28 Aug 2002, Jason Haar wrote:
I've noticed a certain class of false positives for some time, but have just realised what was wrong with them. I'm getting "buffer overflow" class alerts that actually look like they are several packets in one!
[...snip...]
Snort-1.8.7 under RH Linux, with following options:
[...snip...] Jason, are you running the 1.8.7 release? Or is it a 1.8.7 CVS snapshot? If it's release, upgrade to the CVS version. There was a bug in stream4 that caused packet munging like what you are showing. Give the CVS version of 1.8.7 a whirl, or even try 1.9 CVS. 1.9's quite smooth and seems to have a bit more zip to it. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Some alerts look like aggregated TCP sessions... Jason Haar (Aug 27)
- Re: Some alerts look like aggregated TCP sessions... Chris Green (Aug 27)
- Re: Some alerts look like aggregated TCP sessions... Erek Adams (Aug 27)