Re: Problem with "Established" keyword

[Chris Green <cmg () uab edu>]

Ryan Russell <ryan () thievco com> writes:

> The test I was doing was with a standard browser on an external
> Windows client, and Apache running on the OpenBSD box itself.  I was
> able to do the test several times, with and without the "established"
> in my rule, and the problem followed the "established" each time.  The
> web server and browser were responsing appropriately for the tests I
> was doing, and this was with the OpenBSD box and Windows box plugged
> into the same hub. So, I believe that corrupt packets were not likely
> the cause, but I appreciate the suggestion.
>
> I can only think it may be some weirdness with the local IP stack
> and pcap?

Without the original packets, we'll never be able to verify but
sometimes on fancier cards/drivers, traffic involving one of those
hosts computes the outgoing TCP checksums on the ethernet card and
those are not available to the pcap process and makes established look
unestabled.

The platform I know that happens on is the mac, never heard of it
happening on OpenBSD
-- 
Chris Green <cmg () dok org>
"Yeah, but you're taking the universe out of context."



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users