Snort mailing list archives
snort-2.6 appears to be only seeing half the packets?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 12 Jun 2006 16:55:04 +1200
Hi there I am starting to evaluate snort-2.6 before replacing our production 2.4 systems, and I'm seeing all sorts of odd things. I've compiled it with libnet and dnet, along with flexresp2 under Fedora Core 5. The problem is that it appears snort is no longer seeing all the packets - or more precisely - the packets are merged together incorrectly (corrupted). Attached is a snort config file that when run under snort-2.6, catches the TFTP attempt, but doesn't routinely catch the SMTP one. The same config file under 2.4 catches both. Any ideas? -------- snip -------- preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts, ttl_limit 10 preprocessor stream4_reassemble: ports 21 23 25 53 80 110 111 143 513 1433 1570 output alert_syslog: LOG_AUTH LOG_ALERT alert tcp any any -> any 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; sid:1446; rev:6;) alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; sid:1443; rev:4;) ---------- snip ------- -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-2.6 appears to be only seeing half the packets? Jason Haar (Jun 11)
- Re: snort-2.6 appears to be only seeing half the packets? Justin Heath (Jun 12)
- Re: snort-2.6 appears to be only seeing half the packets? Jason Haar (Jun 12)
- Re: snort-2.6 appears to be only seeing half the packets? Justin Heath (Jun 12)