Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flexresp problem

From: "Tudor Panaitescu" <tpanaitescu () colorcon com>
Date: Sun, 21 Apr 2002 10:46:47 -0400


libnet-1.0.2a-1snort is actually the rpm package for libnet. It is configured
with --with-pf_packet=yes, nothing different from the normal compile. I also
tried to recompile snort with libpcap-0.7.1 - the same behavior.

The latest: recompiled from scratch and installed in this order: libpcap-0.7.1,
libnet-1.0.2a, snort-1.8.6, snort-plain+flexresp-1.8.6. The same behavior. I
tried also to enable debugging but it generates about 2 GB snort.debug file only
when snort starts - filled up my /tmp fs - is it any way of configuring debug to
dump only alert related messages ?

Conclusion: snort-1.8.6 resets connections if a rule is matched even if the rule
doesn't say anything about any resp.

The Nets are configured like this: var HOME_NET [a.b.c.d/e,f.g.h.i/j ...], var
EXTERNAL_NET !$HOME_NET, var HTTP_SERVERS $HOME_NET etc.

Any other thoughts folks ?

Thanks,
Tudor








Erek Adams <erek () theadamsfamily net> on 04/20/2002 03:03:46 PM
                                                              
                                                              
                                                              
  To:          Tudor Panaitescu/ColorconUS@ColorconUS         
                                                              
  cc:          snort-users () lists sourceforge net              
                                                              
                                                              
                                                              
  Subject      Re: [Snort-users] Flexresp problem             
  :                                                           
                                                              






On Sat, 20 Apr 2002, Tudor Panaitescu wrote:


OK. Used my workstation, "pure" RH7.2, all the updates from RH installed,
libnet-1.0.2a-1snort, libpcap-0.6.2-9, snort compiled locally, no aliases on

any

interface, apache-fp-1.3.22-6, same set of rules as on the production boxes,

no

resp in any of the rules ... and .... the same problem. Connections matching

the

rules are reset (icmp_all in the alerts log) even if there's no resp in the

rule

.... Does it make any sense ? Is anybody else having the same problem ?



Ok, One thing that I can think of--Try the "real" version of libpcap from
tcpdump.org.  Yank the rpm and drop in the new one.  Also is the libpnet a
'special' version for snort?  "libnet-1.0.2a-1snort" just looks odd...  If so,
yank it as well and build from libnet from scratch.

This is one of those things where rolling your own _usually_ is worth the
effort.  :)

But, other than that, I'm not sure why you're seeing such a odd thing....

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: