[Snort-users] Problem with "Established" keyword
ryan at ...182...
Wed Dec 17 17:05:01 EST 2003
Chris Green wrote:
> The most typical reason this happens is bad checksums on packets
> somewhere. It's not outside the realm of possibility that something
> else is screwed up.
Jeremy from Sourcefire was trying to help me off-list. Unfortunately,
my reproducable test case has stopped reproducing.
The only difference (that I can see) is that the machine config outside
of Snort has been changed. It's now also acting as a router and firewall.
The test I was doing was with a standard browser on an external Windows
client, and Apache running on the OpenBSD box itself. I was able to do
the test several times, with and without the "established" in my rule,
and the problem followed the "established" each time. The web server
and browser were responsing appropriately for the tests I was doing, and
this was with the OpenBSD box and Windows box plugged into the same hub.
So, I believe that corrupt packets were not likely the cause, but I
appreciate the suggestion.
I can only think it may be some weirdness with the local IP stack and pcap?
More information about the Snort-users