[Snort-devel] 'established' with Snort 2.x on openbsd

Jon Hart warchild at ...1775...
Fri Apr 2 07:35:05 EST 2004


On Fri, Apr 02, 2004 at 09:58:29AM -0500, Chris Green wrote:
> You can also turn off checksumming for snort.  Even nicer would be to
> modify to do that for only particular IPs ( since normally only 1
> machine in your network is having that problem when it's the source of
> the traffic.

Certainly a good idea, but since both my internal and external
interfaces are xl(4) based, I want to know when something is *really*
wrong and bad checksums start flying.  I just used a patch similar to:

https://citadelle.intrinsec.com/mailing/current/HTML/ml_openbsd-bugs/2992.html

and hardware checksumming is now off, and my checksums are now correct
and snort is once again working.

> If you are only doing read back analysis, netdude (netdude.sf.net)
> contains a plugin that will fix checksums that works quite well.
> Heck, if if you don't want to do that, that project deserves a
> periodic plug.

Yeah, netdude++.  Its high up on my list of "tools that don't suck" and
I use it quite often.

Thanks again,

-jon




More information about the Snort-devel mailing list