stream4 oddity

[Frank Knobbe <fknobbe () knobbeits com>]

Guys,

does anyone else notice weird things when stream4 is enabled?

The system I noticed this on is running Snort 1.8.6 (build 107) on
NT4sp6. I have a custom alert type configured, let's call it custom.
Custom can call any output_alert, it doesn't matter for this issue. 
Without stream4, Snort logs fine to directories, and alerts on both,
stock alert and the custom alert.

Now I include stream4 with:
preprocessor stream4: detect_state_problems, timeout 300, detect_scans
preprocessor stream4_reassemble: both, ports all

Now Snort still logs to directories. The custom alert doesn't fire at
all. The stock alert still works (although for a while it wasn't event
alerting to that).

Why should the preprocessor munge the data in such a way that the stock
alert still works, but custom alert types don't? Has anyone else noticed
a behavior like this?

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part