[Snort-devel] 'established' with Snort 2.x on openbsd

Jon Hart warchild at ...1775...
Fri Apr 2 05:58:13 EST 2004


On Fri, Apr 02, 2004 at 09:56:04AM +0200, Andreas ?stling wrote:
> 
> The answer from Chris in that thread indicated that this is often because of 
> bad checksums in packets, and in your pcap all packets from spoofed.org have 
> indeed incorrect (ip) checksums.
> 
> Trying with a config with only preprocessor stream4/stream4_reassemble and the 
> vrfy root rule on your pcap with ip checksum checks:
> 
> $ snort -l log/ -c test.conf  -r snort-debug.pcap 2>&1|grep ALERTS
>     TCP: 14         (100.000%)         ALERTS: 0
> 
> And without:
> 
> $ snort -l log/ -c test.conf  -r snort-debug.pcap -k noip 2>&1|grep ALERTS
>     TCP: 14         (100.000%)         ALERTS: 1
> 
> So maybe the problem is to find out why they have incorrect checksums?

I saw that in Chris's post too, but when I went to verify the checksusms
nothing seemed wrong.  I guess I didn't look hard enough because all the
packets to spoofed.org have correct checksums and all the packets from
spoofed.org incorrect checksums.

So now I'm gonna track down the source of the bad checksums.  I'm fairly
certain the hardware isn't failing because I tried the same thing on a
different card (albeit the same driver, xl(4)) and had the same
problems.  Actually it looks like my card, a 3Com 3C905B has hardware
checksumming and the xl driver will use it if available, but according
to the openbsd archives this is known to cause problems yet it remains
on.  FreeBSD has disabled it for this very reason.

So, I'm either going to hack xl(4) to disable the checksums or just swap
to other cards in the system.

Thanks!

-jon








More information about the Snort-devel mailing list