[Snort-users] query .. please someone help.

Clayton Mascarenhas masclaythesnort at ...131...
Wed Sep 17 13:25:19 EDT 2003


Thank you Erek,
 
I have three questions.
So what I have done now is added "config checksum_mode:none" to my snort.conf file and now snort 2.01 has stopped printing that "returning! " message on my screen. But lets say I want to stop snort from detecting it (rather than just stopping it from printing it on the screen)... do I need to highlight the lines 94 through 103 from the detect.c code?
 
I have installed snort 2.01 on my windows machine. I cannot find the folder in which all the C files are kept at. Where are they? 
 
And finally ... when I ran snort 1.9 on the same traffic data... i did not get this "returning!" message thing... snort 1.9 never detected this bad checksum packets... however snort2.01 does detect this. I wanted to double check here with you whether snort1.9 cannot actually do that or was i doing something wrong.
 
Thank you so much Erek.
 
Clayton
 
Erek Adams <erek at ...950...> wrote:
On Tue, 16 Sep 2003, Clayton Mascarenhas wrote:

> Could I please know why I keep getting ... "responding! TCP[2] IP[0]
> UDP[0]" a million times on my screen everytime I run snort on a traffic
> data file? Its like that statement runs in some sort of a never ending
> loop. Please could I know why this is happening and how do I stop this
> from happening. Is there any option that goes with my snort command
> line

Are you sure that the message isn't "returning" instead? If it is...

Snort is telling you that something isn't right on your network. You've
got something creating packets with bad checksums. If you take a look at
lines 88-103 in src/detect.c you'll see this:

88 /*
89 * If the packet has an invalid checksum marked, throw that
90 * traffic away as no end host should accept it.
91 *
92 * This can be disabled by config checksum_mode: none
93 */
94
95 if(p->csum_flags)
96 {
97 printf("returning! TCP (%d) IP (%d) UDP (%d) \n",
98 (p->csum_flags & CSE_TCP),
99 (p->csum_flags & CSE_IP),
100 (p->csum_flags & CSE_UDP)
101 );
102 return 0;
103 }

Does that help?

Cheers!

-----
Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030917/9d8edfed/attachment.html>


More information about the Snort-users mailing list