[Snort-users] Re: snort sees no fragmented attack

Holger.Woehle at ...2701... Holger.Woehle at ...2701...
Mon Aug 12 06:24:02 EDT 2002


>Well, in 1.9 w/ a 1.9 ruleset, you should turn on
>
>preprocessor stream4: asynchronous_link
>
>you are running into the state machines actually caring about the
>state of a TCP session which it can't ascertain w/o haivng both sides
>of the conversation.
>
>This is not related to fragmentation.
>--
>Chris Green <cmg at ...1935...>
>A good pun is its own reword.

>Holger.Woehle at ...2701... writes:

>> echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
>
>The Sensor listens behind a Shomiti Ethernet TAP.
>May this be the problem ?  The Sensor only catches the
> "incoming" traffic. I do not want the answers from the machines.  Am
> i wrong with that ? Does snort neeed the outgoing traffic for defrag
> ?
>
...i switched on the asynchronous_link but it doesn't change anything.
I noticed that i cannot use the "flow" option even with asynchronous link...
Snort 1.9 does not recognize the alarms declared with
"flow:to_server,established" .

cu
Holger










More information about the Snort-users mailing list