[Snort-devel] 'established' with Snort 2.x on openbsd
andreaso at ...387...
Thu Apr 1 23:57:01 EST 2004
The answer from Chris in that thread indicated that this is often because of
bad checksums in packets, and in your pcap all packets from spoofed.org have
indeed incorrect (ip) checksums.
Trying with a config with only preprocessor stream4/stream4_reassemble and the
vrfy root rule on your pcap with ip checksum checks:
$ snort -l log/ -c test.conf -r snort-debug.pcap 2>&1|grep ALERTS
TCP: 14 (100.000%) ALERTS: 0
$ snort -l log/ -c test.conf -r snort-debug.pcap -k noip 2>&1|grep ALERTS
TCP: 14 (100.000%) ALERTS: 1
So maybe the problem is to find out why they have incorrect checksums?
On Friday 02 April 2004 07:27, Jon Hart wrote:
> This is somewhat of a follow up to Ryan's email back in december, found
> I'm having nearly identical issues here:
More information about the Snort-devel