|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: [snort] Livelock with "nocase"
From: Erich Meier (Erich.Meier
informatik.uni-erlangen.de)Date: Mon Mar 06 2000 - 09:17:09 CST
- Next message: John Wilson: "Re: [snort] Livelock with "nocase""
- Previous message: Ralf Hildebrandt: "Re: [snort] Anybody got a clue"
- Next in thread: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Reply: Mullen, Patrick: "RE: [snort] Livelock with "nocase""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi!
The current version of snort (and all older versions with sp_pattern_match.c)
seem to have a livelock problem with nocase matches. When processing rules like
alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"DNS-version-query"; content:"version|04|bind|0000 1000 03"; nocase;)
snort seems to run in an endless cycle after a few minutes under heavy traffic.
Does anyone here use the "nocase" modifier and have similar problems?
Erich
-- Erich Meier Erich.Meier
- Next message: John Wilson: "Re: [snort] Livelock with "nocase""
- Previous message: Ralf Hildebrandt: "Re: [snort] Anybody got a clue"
- Next in thread: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: John Wilson: "Re: [snort] Livelock with "nocase""
- Reply: Martin Roesch: "Re: [snort] Livelock with "nocase""
- Reply: Mullen, Patrick: "RE: [snort] Livelock with "nocase""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]