Hosting Provided By

Re: [Snort-devel] 'established' with Snort 2.x on openbsd

From: Andreas Östling <andreaso(at)it.su.se>
Date: Fri Apr 02 2004 - 02:56:04 EST

The answer from Chris in that thread indicated that this is often because of bad checksums in packets, and in your pcap all packets from spoofed.org have indeed incorrect (ip) checksums.

Trying with a config with only preprocessor stream4/stream4_reassemble and the vrfy root rule on your pcap with ip checksum checks:

$ snort -l log/ -c test.conf -r snort-debug.pcap 2>&1|grep ALERTS

TCP: 14 (100.000%) ALERTS: 0 And without:

$ snort -l log/ -c test.conf -r snort-debug.pcap -k noip 2>&1|grep ALERTS

TCP: 14 (100.000%) ALERTS: 1 So maybe the problem is to find out why they have incorrect checksums?

/Andreas

Do you need help?

On Friday 02 April 2004 07:27, Jon Hart wrote:
> Greetings,

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Fri Apr 2 03:00:22 2004

This message: [ Message body ]
Next message: Sergey Lyubka: "Re: [Snort-devel] plugin idea"
In reply to Jon Hart: "[Snort-devel] 'established' with Snort 2.x on openbsd"
Next in thread: Jon Hart: "Re: [Snort-devel] 'established' with Snort 2.x on openbsd"
Reply: Jon Hart: "Re: [Snort-devel] 'established' with Snort 2.x on openbsd"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT