[Honeywall] Snort rules

Rob McMillen rvmcmil at gmail.com
Fri Jul 25 07:09:25 EDT 2008

The only thing that modifies packets, and this is only outbound, is
snort_inline.  Could there be another rule targeting tftp in another
file?  When you said you restarted the honeywall, did you mean a
reboot?  Or did you use the UI to restart the honeywall services?


On Wed, Jul 23, 2008 at 4:27 PM, Jefferson, Shawn
<Shawn.Jefferson at bcferries.com> wrote:
> Hmm, that's exactly what I did, I commented out the TFTP Get rule in
> tftp.rules and restarted the Honeywall.  Maybe the problem isn't coming
> from snort_inline then, but somewhere else.  I don't mind the lack of a
> GUI interface to snort rules... I just wanted to make sure I was editing
> the right files.
> I notice that Walleye is still picking up on the TFTP Get, but I think
> this is due to the regular snort IDS.
> Can you anyone think of any other reason the TFTP opcode would being
> sent as 0x1201 instead of 0x0001 from behind my Honeywall ?

More information about the Honeywall mailing list