[Snort-devel] 'established' with Snort 2.x on openbsd
warchild at ...1775...
Fri Apr 2 07:35:05 EST 2004
On Fri, Apr 02, 2004 at 09:58:29AM -0500, Chris Green wrote:
> You can also turn off checksumming for snort. Even nicer would be to
> modify to do that for only particular IPs ( since normally only 1
> machine in your network is having that problem when it's the source of
> the traffic.
Certainly a good idea, but since both my internal and external
interfaces are xl(4) based, I want to know when something is *really*
wrong and bad checksums start flying. I just used a patch similar to:
and hardware checksumming is now off, and my checksums are now correct
and snort is once again working.
> If you are only doing read back analysis, netdude (netdude.sf.net)
> contains a plugin that will fix checksums that works quite well.
> Heck, if if you don't want to do that, that project deserves a
> periodic plug.
Yeah, netdude++. Its high up on my list of "tools that don't suck" and
I use it quite often.
More information about the Snort-devel