[Snort-users] Problem with "Established" keyword

Chris Green cmg at ...671...
Thu Dec 18 10:32:08 EST 2003


Ryan Russell <ryan at ...182...> writes:

> The test I was doing was with a standard browser on an external
> Windows client, and Apache running on the OpenBSD box itself.  I was
> able to do the test several times, with and without the "established"
> in my rule, and the problem followed the "established" each time.  The
> web server and browser were responsing appropriately for the tests I
> was doing, and this was with the OpenBSD box and Windows box plugged
> into the same hub. So, I believe that corrupt packets were not likely
> the cause, but I appreciate the suggestion.
>
> I can only think it may be some weirdness with the local IP stack
> and pcap?

Without the original packets, we'll never be able to verify but
sometimes on fancier cards/drivers, traffic involving one of those
hosts computes the outgoing TCP checksums on the ethernet card and
those are not available to the pcap process and makes established look
unestabled.

The platform I know that happens on is the mac, never heard of it
happening on OpenBSD
-- 
Chris Green <cmg at ...1121...>
"Yeah, but you're taking the universe out of context."





More information about the Snort-users mailing list