Snort mailing list archives

Re: Flexresp problem

From: "Tudor Panaitescu" <tpanaitescu () colorcon com>
Date: Sat, 20 Apr 2002 09:14:43 -0400




OK. Used my workstation, "pure" RH7.2, all the updates from RH installed,
libnet-1.0.2a-1snort, libpcap-0.6.2-9, snort compiled locally, no aliases on any
interface, apache-fp-1.3.22-6, same set of rules as on the production boxes, no
resp in any of the rules ... and .... the same problem. Connections matching the
rules are reset (icmp_all in the alerts log) even if there's no resp in the rule
.... Does it make any sense ? Is anybody else having the same problem ?

Thank you and all the best,
Tudor









Erek Adams <erek () theadamsfamily net> on 04/15/2002 07:29:30 PM
                                                              
                                                              
                                                              
  To:          Tudor Panaitescu/ColorconUS@ColorconUS         
                                                              
  cc:          snort-users () lists sourceforge net              
                                                              
                                                              
                                                              
  Subject      Re: [Snort-users] Flexresp problem             
  :                                                           
                                                              






On Mon, 15 Apr 2002, Tudor Panaitescu wrote:

Nope, no changes. This is what makes it goofier .... Another thing: I have
another sensor running in front of the firewall (no IP), RH7.1 upgraded to
R.H7.2, same config, same packages, same ruleset ... that one works fine.
Could it be because of the aliases I have on eth0 ?


Could be.  I'd try removing them and see what happens.

Any other thoughts ?


It _really_ sounds like something special in just your config.  I don't think
there's anything that would cause this to happen in RH, but...  You never
know. :-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Flexresp problem Tudor Panaitescu (Apr 14)
- Re: Flexresp problem Erek Adams (Apr 14)
- <Possible follow-ups>
- Re: Flexresp problem Tudor Panaitescu (Apr 15)
  - Segmentation fault (core dumped) Carlos Augusto Silva (Apr 15)
    - Re: Segmentation fault (core dumped) Erek Adams (Apr 15)
  - Re: Flexresp problem Erek Adams (Apr 15)
- Re: Flexresp problem Tudor Panaitescu (Apr 15)
  - Re: Flexresp problem Erek Adams (Apr 15)
- Re: Flexresp problem Tudor Panaitescu (Apr 15)
- Re: Flexresp problem Tudor Panaitescu (Apr 20)
  - Re: Flexresp problem Alwin Raymundo (Apr 20)
  - Re: Flexresp problem Erek Adams (Apr 20)
- Re: Flexresp problem Tudor Panaitescu (Apr 20)
- Re: Flexresp problem Tudor Panaitescu (Apr 21)
  - Re: Flexresp problem Erek Adams (Apr 21)