[Snort-users] query .. please someone help.
erek at ...950...
Thu Sep 18 05:00:09 EDT 2003
On Wed, 17 Sep 2003, Clayton Mascarenhas wrote:
> I have three questions. So what I have done now is added "config
> checksum_mode:none" to my snort.conf file and now snort 2.01 has stopped
> printing that "returning! " message on my screen. But lets say I want to
> stop snort from detecting it (rather than just stopping it from printing
> it on the screen)... do I need to highlight the lines 94 through 103
> from the detect.c code?
Well, when you place that line in your config a flag is set. When that
flag is set, the code 'doesn't run', so there isn't any detection (of
that) going on.
> I have installed snort 2.01 on my windows machine. I cannot find the
> folder in which all the C files are kept at. Where are they?
Well, I don't have a Win32 box to check on, but I'm guessing that the
Win32 binary distro does not include the source. If you need it, grab
WinZip ( http://www.winzip.com/ ) so you can uncompress the archive, grab
the archive  and then unpack it. You should see the Win32 specific
files in snort-2.0.1/src/win32/ .
> And finally ... when I ran snort 1.9 on the same traffic data... i did
> not get this "returning!" message thing... snort 1.9 never detected this
> bad checksum packets... however snort2.01 does detect this. I wanted to
> double check here with you whether snort1.9 cannot actually do that or
> was i doing something wrong.
Right. This was something that was added in 2.0.x. Now of course since
2.0.2 is out, you should upgrade. :) IIRC, the "returning! TCP" blah
isn't in 2.0.2. I guess I should really upgrade as well. :)
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users