[Snort-users] snort-2.6 appears to be only seeing half the packets?

Jason Haar Jason.Haar at ...294...
Mon Jun 12 00:55:04 EDT 2006

Hi there

I am starting to evaluate snort-2.6 before replacing our production 2.4
systems, and I'm seeing all sorts of odd things.

I've compiled it with libnet and dnet, along with flexresp2 under Fedora
Core 5.

The problem is that it appears snort is no longer seeing all the packets
- or more precisely - the packets are merged together incorrectly

Attached is a snort config file that when run under snort-2.6, catches
the TFTP attempt, but doesn't routinely catch the SMTP one. The same
config file under 2.4 catches both.

Any ideas?

-------- snip --------
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

preprocessor stream4: disable_evasion_alerts, ttl_limit 10
preprocessor stream4_reassemble: ports 21 23 25 53 80 110 111 143 513
1433 1570

output alert_syslog: LOG_AUTH LOG_ALERT
alert tcp any any -> any 25 (msg:"SMTP vrfy root";
flow:to_server,established; content:"vrfy"; nocase; content:"root";
distance:1; nocase; pcre:"/^vrfy\s+root/smi"; sid:1446; rev:6;)
alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|";
depth:2; content:"passwd"; offset:2; nocase; sid:1443; rev:4;)
---------- snip -------


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list