[unisog] Snort woes

Chris Green cmgreen at uab.edu
Mon Jan 24 17:32:10 GMT 2005


On 1/23/05 10:35 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:

> Background:  this issue first came to my attention after moving to
> 2.3RC2 recently when I noticed large numbers of tagged packets appearing
> in the log file. I could not figure out why the packets had been tagged.
> After a lot of mucking around I went right back to release version of
> 2.2 and found that I now have the same problem with it.

Russell, 

The steps for debugging this would be to run tcpdump on the connection at
the same time as snort (or a binary logging snort without the stream
reassembler).  My guess is that you are running into a stale packet data.

Try adding zero_flushed_packets to your stream4 reassembly line.  If the
problem goes away/is minimized, the problem is with stream4 somewhere.

Right before you get this bad alert, you should find a real instance of this
alert.
 
Since I left, I haven't exactly kept up with snort development but I'm
guessing some of the current crop of stream4 fixes aren't really fixes.

Cheers,
Chris




More information about the unisog mailing list