[unisog] Snort woes
cmgreen at uab.edu
Mon Jan 24 17:32:10 GMT 2005
On 1/23/05 10:35 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:
> Background: this issue first came to my attention after moving to
> 2.3RC2 recently when I noticed large numbers of tagged packets appearing
> in the log file. I could not figure out why the packets had been tagged.
> After a lot of mucking around I went right back to release version of
> 2.2 and found that I now have the same problem with it.
The steps for debugging this would be to run tcpdump on the connection at
the same time as snort (or a binary logging snort without the stream
reassembler). My guess is that you are running into a stale packet data.
Try adding zero_flushed_packets to your stream4 reassembly line. If the
problem goes away/is minimized, the problem is with stream4 somewhere.
Right before you get this bad alert, you should find a real instance of this
Since I left, I haven't exactly kept up with snort development but I'm
guessing some of the current crop of stream4 fixes aren't really fixes.
More information about the unisog