[Honeywall] Snort rules

Jefferson, Shawn Shawn.Jefferson at bcferries.com
Wed Jul 23 14:23:29 EDT 2008


I'm having some trouble allowing TFTP GET transfers from my Honeypots.
Doing a packet capture on my TFTP server, I notice that the TFTP opcode
is being sent as 0x1201 from the Honeypot when it sends the request
through the Honeywall.  If I move the Honeypot so that it isn't behind
the Honeywall, TFTP works fine and the opcode is 0x0001 like you would
assume.  I'm assuming this is snort-inline that is changing the packet,
but I just can't see how to stop it from doing this.  I've looked at the
rules in etc and made changes there, but I'm still having this problem.

What's the method to change the snort_inline rules on Honeywall roo 1.4
?  Anyone else have this problem?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://public.honeynet.org/pipermail/honeywall/attachments/20080723/933401fa/attachment.html

More information about the Honeywall mailing list