Hosting Provided By

RE: [Snort-devel] significant changes from build 87 to build 88?

From: Bradberry, John <BradberryJ(at)aafes.com>
Date: Wed Aug 13 2003 - 18:43:30 EDT

Hello:

Our team has experienced this problem in a production environment using build 88 on multiple systems. Our research has identified symptoms very similar to those noted by Mr. Wood. The problem was discovered during a demonstration. :-|

The snort.org team has produced a very useful and capable utility, and we're interested to provide assistance if possible. I'll provide pcap logs or testing assistance if needed.

John Bradberry
The Greentree Group

-----Original Message-----

From: Phil Wood [mailto:cpw@lanl.gov]
Sent: Wednesday, August 13, 2003 3:04 PM To: Erickson Brent W KPWA
Cc: 'Phil Wood'; snort-devel@lists.sourceforge.net Subject: Re: [Snort-devel] significant changes from build 87 to build 88?

It fails on build 90 also.

I haven't seen the problem since commenting out the stream4_reassemble preprocessor. But, I've only been running with the change for about 5 hours.

Problem in a nut shell:

Do you need help?

Wrong IP and TCP information for syslog alert and '-b' pcap file on occasion.

Here is what I know (precious little):

It does not happen all the time. Some times the alerts are correct.
The incorrect alerts have ip addresses and port numbers from a different session.
The different session has always been a relatively long stream in the range 5Mbytes to 8Mbytes without content to cause an alert.
The session with the content that generates the alert is around 35Kbytes.
It happens during times of no packet loss and relatively low packet rates (3K pps at 5 AM today).

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Aug 13 19:15:30 2003

This message: [ Message body ]
Next message: Jesper Peterson: "[Snort-devel] Patch: support for CHDLC and PPP_SERIAL DLTs"
Previous message: Erickson Brent W KPWA: "RE: [Snort-devel] significant changes from build 87 to build 88?"
Maybe in reply to: Phil Wood: "[Snort-devel] significant changes from build 87 to build 88?"
Next in thread: Phil Wood: "Re: [Snort-devel] significant changes from build 87 to build 88?"
Reply: Phil Wood: "Re: [Snort-devel] significant changes from build 87 to build 88?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:07 EDT