[Snort-users] Problem with "Established" keyword

Chris Green cmg at ...671...
Thu Dec 18 10:32:08 EST 2003

Ryan Russell <ryan at ...182...> writes:

> The test I was doing was with a standard browser on an external
> Windows client, and Apache running on the OpenBSD box itself.  I was
> able to do the test several times, with and without the "established"
> in my rule, and the problem followed the "established" each time.  The
> web server and browser were responsing appropriately for the tests I
> was doing, and this was with the OpenBSD box and Windows box plugged
> into the same hub. So, I believe that corrupt packets were not likely
> the cause, but I appreciate the suggestion.
> I can only think it may be some weirdness with the local IP stack
> and pcap?

Without the original packets, we'll never be able to verify but
sometimes on fancier cards/drivers, traffic involving one of those
hosts computes the outgoing TCP checksums on the ethernet card and
those are not available to the pcap process and makes established look

The platform I know that happens on is the mac, never heard of it
happening on OpenBSD
Chris Green <cmg at ...1121...>
"Yeah, but you're taking the universe out of context."

More information about the Snort-users mailing list