More problems with packet normalization

["C. L. Martinez via Snort-users" <snort-users () lists snort org>]

Hi all,

 As I have described in a previous email, I have installed Snort 2.9.9.0p0 in an OpenBSD 6.2 host. After resolve how to 
apply packet normalization policy in snort.conf, I have another problem: all downloads are stalled randomly.

 My startup flags for snort are: -D -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log 
--pid-path /log --no-interface-pidfile --nolock-pidfile -Q

 DaQ config is:

config policy_mode: inline
config daq: ipfw
config daq_dir: /usr/local/lib/daq/
config daq_mode: inline
config daq_var: port=9000

 Packet normalization policy:

preprocessor normalize_ip4
preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

 OpenBSD's pf config for divert sockets is:

pass out quick inet proto tcp all flags S/SA keep state (if-bound) scrub (reassemble tcp) tagged intlans-to-inet 
divert-packet port 9000
pass out quick inet proto icmp all keep state (if-bound) scrub (reassemble tcp) tagged intlans-to-inet divert-packet 
port 9000
pass out quick inet proto udp all keep state (if-bound) scrub (reassemble tcp) tagged intlans-to-inet divert-packet 
port 9000

 Snort is installed from OpenBSD's ports. Do I need to modify some option in normalization or stream5 policy?? 
(Stream5's policy is the default)

Thanks.

-- 
Greetings,
C. L. Martinez
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette