[Snort-users] query .. please someone help.

Erek Adams erek at ...950...
Thu Sep 18 05:00:09 EDT 2003

On Wed, 17 Sep 2003, Clayton Mascarenhas wrote:

> I have three questions. So what I have done now is added "config
> checksum_mode:none" to my snort.conf file and now snort 2.01 has stopped
> printing that "returning! " message on my screen. But lets say I want to
> stop snort from detecting it (rather than just stopping it from printing
> it on the screen)... do I need to highlight the lines 94 through 103
> from the detect.c code?

Well, when you place that line in your config a flag is set.  When that
flag is set, the code 'doesn't run', so there isn't any detection (of
that) going on.

> I have installed snort 2.01 on my windows machine. I cannot find the
> folder in which all the C files are kept at. Where are they?

Well, I don't have a Win32 box to check on, but I'm guessing that the
Win32 binary distro does not include the source.  If you need it, grab
WinZip ( http://www.winzip.com/ ) so you can uncompress the archive, grab
the archive [0] and then unpack it.  You should see the Win32 specific
files in snort-2.0.1/src/win32/ .

> And finally ... when I ran snort 1.9 on the same traffic data... i did
> not get this "returning!" message thing... snort 1.9 never detected this
> bad checksum packets... however snort2.01 does detect this. I wanted to
> double check here with you whether snort1.9 cannot actually do that or
> was i doing something wrong.

Right.  This was something that was added in 2.0.x.  Now of course since
2.0.2 is out, you should upgrade. :)  IIRC, the "returning! TCP" blah
isn't in 2.0.2.  I guess I should really upgrade as well.  :)


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.snort.org/dl/snort-2.0.2.tar.gz

More information about the Snort-users mailing list