[Snort-devel] Fwd: Re: [Snort-users] FTP USER overflow attempt alerts, no logged packets.

Chris Green cmg at ...402...
Wed Aug 7 11:29:01 EDT 2002


Dolfred Mascarenhas <dolfredm at ...398...> writes:

>
> I'm getting the same behavior.  This rule will alert, but there will
> be on packet logs.  This is on a RH7.2 system running Snort 1.8.7
> installed from the RH RPM (binary).  I'm starting snort with
> "/usr/sbin/snort -D
> -z -I -o -i eth1 -d -l /b/log -c /etc/snort/snort.conf".  The eth1
> interface is a 'stealth listen' set-up with no IP configured.  There
> doesn't seem to be any filesystem problems in the logging directory
> (out of inodes, etc).  Other rules are logging.  This problem appeared
> when I upgraded from snort 1.8.6 to snort 1.8.7. Seems to be a bug
> introduced into 1.8.7.  1.8.6 didn't have any of these packet logging
> problems for me.  I couldn't see anything in the conf file which would
> cause ftp rules not to be logged (no specially defined type w/ output
> option, etc).  So this appears to be a bug in snort, or perhaps the
> telnet_decode preprocessor which handles FTP sessions also.
>

Do you see the same behavior in 1.9.0beta2?

-- 
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-devel mailing list