[Snort-devel] 'established' with Snort 2.x on openbsd

Andreas Östling andreaso at ...387...
Thu Apr 1 23:57:01 EST 2004


The answer from Chris in that thread indicated that this is often because of 
bad checksums in packets, and in your pcap all packets from spoofed.org have 
indeed incorrect (ip) checksums.

Trying with a config with only preprocessor stream4/stream4_reassemble and the 
vrfy root rule on your pcap with ip checksum checks:

$ snort -l log/ -c test.conf  -r snort-debug.pcap 2>&1|grep ALERTS
    TCP: 14         (100.000%)         ALERTS: 0

And without:

$ snort -l log/ -c test.conf  -r snort-debug.pcap -k noip 2>&1|grep ALERTS
    TCP: 14         (100.000%)         ALERTS: 1

So maybe the problem is to find out why they have incorrect checksums?

/Andreas


On Friday 02 April 2004 07:27, Jon Hart wrote:
> Greetings,
>
> This is somewhat of a follow up to Ryan's email back in december, found
> here:
>
> 	http://marc.theaimsgroup.com/?l=snort-users&m=107169234400932&w=2
>
> I'm having nearly identical issues here:





More information about the Snort-devel mailing list