[Snort-users] Is there a problem with Linux 2.4.0?

Martin Roesch roesch at ...421...
Fri Jan 12 15:47:06 EST 2001


Could we get some packet dumps of what you're collecting so that we can
make sure we modify the applicable rules correctly?

    -Marty

Jason Haar wrote:
> 
> I just upgraded my snort box to 2.4.0 yesterday, and I've come in this
> morning to find a whole bunch of alerts about my snort box generating
> "probe-Queso Fingerprint attempt" and that it's portscanning other hosts
> every few minutes.
> 
> I'm wondering if the IP Stack has changed in some way that causing these? I
> have figured out that applications I was using fine before the upgrade are
> responsible for these new alerts (e.g. fetchmail now causes snort to report
> a portscan of "SYN 12****S* RESERVEDBITS").
> 
> I have captured an IMAP session that triggers this event, can someone tell
> me what I should be looking for?
> 
> --
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list