Snort mailing list archives
Re: snort sees no fragmented attack
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 09 Aug 2002 12:26:35 -0400
My first inclination after reading the snrot.conf Holger is using is to ask how bad is the packet drop rate?
The reason I ask is that HOME_NET, EXTERNAL_NET and HTTP_SERVERS are all set to 'any' ... That's going to put a pretty painful load on snort.
Send a kill -USR1 to snort and then look.also the rule in question uses HTTP_PORTS, being a relatively new rule, but the snort.conf doesn't contain this variable, being from an old snort. Is snort even successfully loading this rules files? or is snort bombing out on startup because it can't understand the syntax of the rule files?
when upgrading your rulefiles note that the rules tarball contains a new snort.conf.. don't ignore it. It's in with the rules tarball for a very significant reason.
At 04:09 PM 8/9/2002 +0200, Andreas Östling wrote:
On Fri, 9 Aug 2002 Holger.Woehle () arcor net wrote: > echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc I think this should work since you seem to have frag2 loaded... (perhaps a very old version?) I tried 1.9beta2 on 100 mtu ethernet and snort had no trouble with that packet/rule (alert was generated). /Andreas ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort sees no fragmented attack Holger . Woehle (Aug 09)
- Re: snort sees no fragmented attack Chris Green (Aug 09)
- Re: snort sees no fragmented attack Andreas Östling (Aug 09)
- Re: snort sees no fragmented attack Matt Kettler (Aug 09)
- Autoblock on Linux Lionel Fairon (Aug 09)
- <Possible follow-ups>
- snort sees no fragmented attack Holger . Woehle (Aug 09)
- Re: snort sees no fragmented attack Holger . Woehle (Aug 12)
- Re: Re: snort sees no fragmented attack Chris Green (Aug 12)
- Re: snort sees no fragmented attack Holger . Woehle (Aug 12)