[Honeywall] Snort rules

Earl esammons at hush.com
Fri Jul 25 10:48:23 EDT 2008

grep '0x1201' /etc/snort_inline/rules/*.rules


On Fri, 25 Jul 2008 07:09:25 -0400 Rob McMillen <rvmcmil at gmail.com> 
>The only thing that modifies packets, and this is only outbound, 
>snort_inline.  Could there be another rule targeting tftp in 
>file?  When you said you restarted the honeywall, did you mean a
>reboot?  Or did you use the UI to restart the honeywall services?
>On Wed, Jul 23, 2008 at 4:27 PM, Jefferson, Shawn
><Shawn.Jefferson at bcferries.com> wrote:
>> Hmm, that's exactly what I did, I commented out the TFTP Get 
>rule in
>> tftp.rules and restarted the Honeywall.  Maybe the problem isn't 
>> from snort_inline then, but somewhere else.  I don't mind the 
>lack of a
>> GUI interface to snort rules... I just wanted to make sure I was 
>> the right files.
>> I notice that Walleye is still picking up on the TFTP Get, but I 
>> this is due to the regular snort IDS.
>> Can you anyone think of any other reason the TFTP opcode would 
>> sent as 0x1201 instead of 0x0001 from behind my Honeywall ?
>Honeywall mailing list
>Honeywall at public.honeynet.org

More information about the Honeywall mailing list