[Snort-devel] 'established' with Snort 2.x on openbsd

From: Jon Hart <warchild(at)spoofed.org>
Date: Fri Apr 02 2004 - 00:27:25 EST

Greetings,

This is somewhat of a follow up to Ryan's email back in december, found here:

        http://marc.theaimsgroup.com/?l=snort-users&m=107169234400932&w=2

I'm having nearly identical issues here:

Snort 2.1.2
Openbsd -current as of late february 2004, i386 default ruleset, default plugins
using syslog and tcpdump output logging
$HOME_NET == any
run with 'snort -i xl1 -CXdIeyz -c /share/snort/etc/snort.conf'

None of the rules that use the 'established' option to the flow keyword are triggering, which means that I'm catching next to nothing. If I remove the 'established', the rule fires as expected.

I've rebuilt snort with debugging enabled, run with SNORT_DEBUG=8192. Attached is the debugging output for a quick smtp connection that should trigger the 'vrfy root' rule, but doesn't because of the established business. Also attached is a pcap of that traffic.

I can't seem to figure out what the problem is. It doesn't seem to be any of the more exotic pf options, and everything else on the system is perfect.

Thanks in advance to anyone that can help!

-jon

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-develReceived on Fri Apr 2 00:31:56 2004