[Snort-devel] Snort Detection (Stream4 and Flow)

Eric Lauzon eric.lauzon at ...1967...
Tue Feb 7 12:02:03 EST 2006


I guess i will leave it to you to understand your own bogus way of doing.
And sorry , i am not waying anything about causing Denial of Service on snort , rather than tcpreplay is just a wrong statment.
As of having variables to ANY ...guess you have other issues there.
And to leave it as it is you removed all SYN from the pcap file? and you wonder why you dont have any state detected?
 
did my best to understand, but i guess there is a gap betwen what you express,what i understand,what i express and what you understand.
 
good luck
 
-elz
 



________________________________

	From: Joel Ebrahimi [mailto:jebrahimi at ...2857...] 
	Sent: 7 février 2006 14:55
	To: Eric Lauzon
	Cc: snort-devel at lists.sourceforge.net
	Subject: RE: [Snort-devel] Snort Detection (Stream4 and Flow)
	
	
	 
	I dont think this is the case at all. Bascially your saying I can use mangled pcap files through tcpreplay to dos Snort.My variables are basically all anys and Im replaying real network traffic.The pcap I am using is one that I made and then modified to to remove the syn/syn ack. Like I said it will not trigger if enforce_state is in stream4 but will without it.
AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ 

Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060207/8b808be9/attachment.html>


More information about the Snort-devel mailing list