[Snort-users] Problem with "Established" keyword

Chris Green cmg at ...671...
Wed Dec 17 16:50:00 EST 2003


Ryan Russell <ryan at ...182...> writes:

> I did find the discussion about this in October, but I could find no
> real solution in that discussion.
>
> I just did a fresh install of Snort 2.0.5 on OpenBSD 3.4.  Just a
> simple configure; make; make install, and copies the rules and config
> files to a directory, and started Snort from there.
>
> It appears that none of the rules with established will fire.  If I
> take that keyword out of the rule, it works fine.
>
> Was there some change to Snort that borke this, or is some
> preprocessor not hadling it properly?
>

The most typical reason this happens is bad checksums on packets
somewhere. It's not outside the realm of possibility that something
else is screwed up.
-- 
Chris Green <cmg at ...1121...>
"Yeah, but you're taking the universe out of context."





More information about the Snort-users mailing list