Snort mailing list archives
Re: Only TCP packets towards the Snort host trigger alerts
From: "Rennhard Marc (rema)" <rema () zhaw ch>
Date: Tue, 13 Nov 2012 15:37:30 +0000
This solved it, thanks. It worked without this option with Snort 2.8.5 / Ubuntu 11.04 - it appears Ubuntu has recently enabled checksum offloading. Cheers, Marc On 13. Nov 2012, at 16:08, JJC <cummingsj () gmail com> wrote:
Out of curiosity, are you running with -k none ? On Tue, Nov 13, 2012 at 7:00 AM, Rennhard Marc (rema) <rema () zhaw ch> wrote: Dear list members I'm using Snort for teaching purposes and just updated to Ubuntu 12.04, which implied a Snort update from 2.8.5 to 2.9.2. The new version shows a different behaviour with respect to TCP packet alerting. Using the rule alert tcp any any -> any any (msg:"ALL"; sid:9999999;) and communicating over TCP to a service running on the same host as Snort shows (alerted on) all packets in both directions with Snort 2.8.5. But with the new Snort version (2.9.2), only packets towards the server generate an alert. With UPD traffic, all packets are alerted on in both directions with both versions. Has anything changed with respect to alerting on TCP packets between these two versions? Thanks for any help, Marc ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Prof. Dr. Marc Rennhard ZHAW Zuercher Hochschule für Angewandte Wissenschaften InIT Institut fuer angewandte Informationstechnologie Schwerpunktleiter Information Security Steinberggasse 13 / Postfach / CH-8401 Winterthur Fon: +41 58 934-7245 / Fax: +41 58 935-7245 PGP-KeyID: 84AEB193, PGP encrypted mail welcome
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Only TCP packets towards the Snort host trigger alerts Rennhard Marc (rema) (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts JJC (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts Rennhard Marc (rema) (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts James Lay (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts Doug Burks (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts Rennhard Marc (rema) (Nov 13)
- Re: Only TCP packets towards the Snort host trigger alerts JJC (Nov 13)