[Snort-users] Newbie Questions

Adam Keeton akeeton at ...1935...
Fri Oct 27 11:06:05 EDT 2006


Snort is almost undoubtedly dropping TCP packets due to failed
checksum checking.  You can verify this by adding a "-k none" to Snort's
args to disable checksum checks.

If you are dropping TCP packets from checksums, you can either download
the latest beta (2.6.1 beta 2), check out the latest open source copy
from CVS, or recompile Snort with -fno-strict-aliasing.

To recompile without strict aliasing, do a "make clean", and run
configure with the CFLAGS environment variable set to
"-fno-strict-aliasing" ie:

CFLAGS=-fno-strict-aliasing ./configure <your configuration options>


Davis Lee wrote:
> Greetings & TIA,
> I have two boxes plugged into the same switch. 
> One is Snort 2.44 on FC4 displayed through Base 1.2.2 (cindy).
> Two is Snort 2.6.02 on FC5 displayed through Base 1.2.6 (Christine).
> AFAIK, the snort.conf files are identical (at least my visual step
> through shows them to be the same). Also, the local.rules file is almost
> the same, except for the order of listing. 
> Cindy is giving me a whole lot more info than Christine. Christine only
> shows UDP, and misses a lot of info that Wireshark, running on her box,
> does show.
> Where should I start in order to get more info from Christine? I've
> looked at var/log/snort and I think Christine is reporting all she sees.
> Thanks,
> Davis Lee
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list