Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with "Established" keyword

From: Ryan Russell <ryan () thievco com>
Date: Wed, 17 Dec 2003 17:04:20 -0800
Chris Green wrote:

The most typical reason this happens is bad checksums on packets
somewhere. It's not outside the realm of possibility that something
else is screwed up.
Jeremy from Sourcefire was trying to help me off-list. Unfortunately, my reproducable test case has stopped reproducing.
The only difference (that I can see) is that the machine config outside of Snort has been changed. It's now also acting as a router and firewall.
The test I was doing was with a standard browser on an external Windows client, and Apache running on the OpenBSD box itself. I was able to do the test several times, with and without the "established" in my rule, and the problem followed the "established" each time. The web server and browser were responsing appropriately for the tests I was doing, and this was with the OpenBSD box and Windows box plugged into the same hub. So, I believe that corrupt packets were not likely the cause, but I appreciate the suggestion. 

I can only think it may be some weirdness with the local IP stack and pcap?

                                        Ryan



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: