Snort mailing list archives
snort locked into using one signature
From: "Spencer Anderson" <sanderson () clearnorthtech com>
Date: Wed, 7 Apr 2004 14:40:55 -0500
Over the past week a strange thing has happened twice on my snort sensor. Traffic that is normally logged under different signatures has all been logged with the same signature, which isn't even correct. A generic example is: Pkt1 normally triggers Sig1 Pkt2 normally triggers Sig2 Pkt3 normally triggers Sig3 At times when only packets of type Pkt1 and Pkt2 are passing by the sensor, only Sig3 is getting logged in the event table. If I restart snort it goes back to working the correctly. It seems to me like Pkt3 is passing the sensor and occasionally snort is getting locked up and starts thinking every time there is a signature match, it should place Sig3 as the offending signature in event table in my database. It seems snort is still comparing the packets against the signatures correctly because Sig3 is for TCP traffic and Pkt1 is ICMP and Pkt2 is UDP and the correct header information is being put into the database for each cid, it just decides to put Sig3 in event.signature for every different signature match snort detects. Both times this has happened to me Sig3 has been a different signature, so I don't think it's the rule definition itself. I am running Snort Version 2.1.0 (Build 9) & MySQL Ver 4.0.17 on Red Hat 9. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort locked into using one signature Spencer Anderson (Apr 07)
- <Possible follow-ups>
- Re: snort locked into using one signature James Nonya (Apr 07)
- Re: snort locked into using one signature Matt Kettler (Apr 07)