[Snort-users] snort-2.6 appears to be only seeing half the packets?

Justin Heath justin.heath at ...11827...
Mon Jun 12 10:33:48 EDT 2006


Jason,

Are you using the smtp preprocessor in 2.6?


Thnaks,
Justin Heath

On 6/12/06, Jason Haar <Jason.Haar at ...294...> wrote:
>
> Hi there
>
> I am starting to evaluate snort-2.6 before replacing our production 2.4
> systems, and I'm seeing all sorts of odd things.
>
> I've compiled it with libnet and dnet, along with flexresp2 under Fedora
> Core 5.
>
> The problem is that it appears snort is no longer seeing all the packets
> - or more precisely - the packets are merged together incorrectly
> (corrupted).
>
>
> Attached is a snort config file that when run under snort-2.6, catches
> the TFTP attempt, but doesn't routinely catch the SMTP one. The same
> config file under 2.4 catches both.
>
> Any ideas?
>
> -------- snip --------
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
>
> preprocessor stream4: disable_evasion_alerts, ttl_limit 10
> preprocessor stream4_reassemble: ports 21 23 25 53 80 110 111 143 513
> 1433 1570
>
> output alert_syslog: LOG_AUTH LOG_ALERT
> alert tcp any any -> any 25 (msg:"SMTP vrfy root";
> flow:to_server,established; content:"vrfy"; nocase; content:"root";
> distance:1; nocase; pcre:"/^vrfy\s+root/smi"; sid:1446; rev:6;)
> alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|";
> depth:2; content:"passwd"; offset:2; nocase; sid:1443; rev:4;)
> ---------- snip -------
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060612/becae9c8/attachment.html>


More information about the Snort-users mailing list