[Honeywall] Snort rules
esammons at hush.com
Fri Jul 25 10:48:23 EDT 2008
grep '0x1201' /etc/snort_inline/rules/*.rules
On Fri, 25 Jul 2008 07:09:25 -0400 Rob McMillen <rvmcmil at gmail.com>
>The only thing that modifies packets, and this is only outbound,
>snort_inline. Could there be another rule targeting tftp in
>file? When you said you restarted the honeywall, did you mean a
>reboot? Or did you use the UI to restart the honeywall services?
>On Wed, Jul 23, 2008 at 4:27 PM, Jefferson, Shawn
><Shawn.Jefferson at bcferries.com> wrote:
>> Hmm, that's exactly what I did, I commented out the TFTP Get
>> tftp.rules and restarted the Honeywall. Maybe the problem isn't
>> from snort_inline then, but somewhere else. I don't mind the
>lack of a
>> GUI interface to snort rules... I just wanted to make sure I was
>> the right files.
>> I notice that Walleye is still picking up on the TFTP Get, but I
>> this is due to the regular snort IDS.
>> Can you anyone think of any other reason the TFTP opcode would
>> sent as 0x1201 instead of 0x0001 from behind my Honeywall ?
>Honeywall mailing list
>Honeywall at public.honeynet.org
More information about the Honeywall