Snort mailing list archives

Re: Anomalous packet logged by Snort

From: Chris Green <cmg () sourcefire com>
Date: Mon, 08 Apr 2002 16:29:44 -0400

Bill McCarty <bmccarty () apu edu> writes:

Also, the QUIT followed by a PASS seems odd. And, the presence of a
host name in the PASS doesn't seem right, especially when no delimiter
separates the host name from the keyword PASS. That just can't be.


It's just how TCP Stream reassembly works right now.  We plop a lot of
packets together into a fake packet and inject it back through the
detection engine.
-- 
Chris Green <cmg () sourcefire com>
To err is human, to moo bovine.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
  - Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
    - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
  - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)