[Snort-users] snort sees no fragmented attack
mkettler at ...4108...
Fri Aug 9 09:28:02 EDT 2002
My first inclination after reading the snrot.conf Holger is using is to ask
how bad is the packet drop rate?
The reason I ask is that HOME_NET, EXTERNAL_NET and HTTP_SERVERS are all
set to 'any' ... That's going to put a pretty painful load on snort.
Send a kill -USR1 to snort and then look.
also the rule in question uses HTTP_PORTS, being a relatively new rule, but
the snort.conf doesn't contain this variable, being from an old snort. Is
snort even successfully loading this rules files? or is snort bombing out
on startup because it can't understand the syntax of the rule files?
when upgrading your rulefiles note that the rules tarball contains a new
snort.conf.. don't ignore it. It's in with the rules tarball for a very
At 04:09 PM 8/9/2002 +0200, Andreas Östling wrote:
>On Fri, 9 Aug 2002 Holger.Woehle at ...2701... wrote:
> > echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
>I think this should work since you seem to have frag2 loaded...
>(perhaps a very old version?)
>I tried 1.9beta2 on 100 mtu ethernet and snort had no trouble with
>that packet/rule (alert was generated).
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users