Re: Problem with "Established" keyword

[Chris Green <cmg () uab edu>]

Ryan Russell <ryan () thievco com> writes:

> I did find the discussion about this in October, but I could find no
> real solution in that discussion.
>
> I just did a fresh install of Snort 2.0.5 on OpenBSD 3.4.  Just a
> simple configure; make; make install, and copies the rules and config
> files to a directory, and started Snort from there.
>
> It appears that none of the rules with established will fire.  If I
> take that keyword out of the rule, it works fine.
>
> Was there some change to Snort that borke this, or is some
> preprocessor not hadling it properly?

The most typical reason this happens is bad checksums on packets
somewhere. It's not outside the realm of possibility that something
else is screwed up.
-- 
Chris Green <cmg () dok org>
"Yeah, but you're taking the universe out of context."



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users