Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is snort missing something?

From: steven <steven () steven4u net>
Date: Tue, 03 Jul 2001 20:16:21 +0800
thanks, now i know it's a base64 code

Matt Watchinski wrote:


money:goodbye

steven wrote:


Hi,

I am doing a test of sniffering packets in a http authentication
session.  The http authentication is a feature buit into my apache
server (I belive it's also same with other popular http servers in the
market).

The picture is:

1. The browser requests a document from the server.
2. The server issues an authentication challenge.
3. The browser prompts the user for credentials (typically via a
username/password popup).
4. The browser sends a new request to the server, including the
credentials (username and encrypted
password) entered.
5. The server validates the credentials supplied, and (if acceptable)
returns the document requested.

So, i write a .htaccess file on my server to make this happen.  Then
open the browser and access the protected documents.  During the
operation, I running the snort on the server to monitor the full
process.

Everything is *ALMOST* okay, the snort capture the packets for the step
1, 2, and step 5 (step 3 is the client-end behavior).  But, I did *NOT*
see the transfered packet for step 4 -- That is just what I am really
interested.

I attached the logged packets below for your information:

------------------------------------------------------------------------------

#>snort -b -l . -L 3.log -i eth0 host 192.168.1.1(client) and host
192.168.1.7(server)
#>snort -devr 3.log > 3-ascii.log
-------------------------------------------------------------------------------

        --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "3.log" file.
snaplen = 1514

        --== Initialization Complete ==--
07/01-04:13:56.172808 0:60:97:2E:7:B8 -> 52:54:4C:29:40:68 type:0x800
len:0x1D3
192.168.1.1:2636 -> 61.142.75.69:80 TCP TTL:128 TOS:0x0 ID:60907
IpLen:20 DgmLen:453 DF
***AP*** Seq: 0x2B3033FE  Ack: 0xA8389027  Win: 0xFA04  TcpLen: 32
TCP Options (3) => NOP NOP TS: 102036 35768581
47 45 54 20 2F 64 6F 63 75 6D 65 6E 74 61 74 69  GET /documentati
6F 6E 2F 63 6F 6D 70 75 74 65 72 2F 20 48 54 54  on/computer/ HTT
50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 69  P/1.1..Accept: i
6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F  mage/gif, image/
78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65  x-xbitmap, image
2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 6A 70  /jpeg, image/pjp
65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F  eg, application/
76 6E 64 2E 6D 73 2D 70 6F 77 65 72 70 6F 69 6E  vnd.ms-powerpoin
74 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76  t, application/v
6E 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61 70 70  nd.ms-excel, app
6C 69 63 61 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C  lication/msword,
20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68   */*..Referer: h
74 74 70 3A 2F 2F 77 77 77 2E 73 74 65 76 65 6E  ttp://www.steven
34 75 2E 6E 65 74 2F 64 6F 63 75 6D 65 6E 74 61  4u.net/documenta
74 69 6F 6E 2F 0D 0A 41 63 63 65 70 74 2D 4C 61  tion/..Accept-La
6E 67 75 61 67 65 3A 20 7A 68 2D 63 6E 0D 0A 41  nguage: zh-cn..A
63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20  ccept-Encoding:
67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55  gzip, deflate..U
73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C  ser-Agent: Mozil
6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62  la/4.0 (compatib
6C 65 3B 20 4D 53 49 45 20 35 2E 35 3B 20 57 69  le; MSIE 5.5; Wi
6E 64 6F 77 73 20 4E 54 20 35 2E 30 29 0D 0A 48  ndows NT 5.0)..H
6F 73 74 3A 20 77 77 77 2E 73 74 65 76 65 6E 34  ost: www.steven4
75 2E 6E 65 74 0D 0A 43 6F 6E 6E 65 63 74 69 6F  u.net..Connectio
6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D  n: Keep-Alive...
0A                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:13:56.173621 52:54:4C:29:40:68 -> 0:60:97:2E:7:B8 type:0x800
len:0x33D
61.142.75.69:80 -> 192.168.1.1:2636 TCP TTL:64 TOS:0x0 ID:8702 IpLen:20
DgmLen:815 DF
***AP*** Seq: 0xA8389027  Ack: 0x2B30358F  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 35769017 102036
48 54 54 50 2F 31 2E 31 20 34 30 31 20 41 75 74  HTTP/1.1 401 Aut
68 6F 72 69 7A 61 74 69 6F 6E 20 52 65 71 75 69  horization Requi
72 65 64 0D 0A 44 61 74 65 3A 20 53 61 74 2C 20  red..Date: Sat,
33 30 20 4A 75 6E 20 32 30 30 31 20 32 30 3A 31  30 Jun 2001 20:1
33 3A 35 36 20 47 4D 54 0D 0A 53 65 72 76 65 72  3:56 GMT..Server
3A 20 41 70 61 63 68 65 2F 31 2E 33 2E 31 32 20  : Apache/1.3.12
28 55 6E 69 78 29 0D 0A 57 57 57 2D 41 75 74 68  (Unix)..WWW-Auth
65 6E 74 69 63 61 74 65 3A 20 42 61 73 69 63 20  enticate: Basic
72 65 61 6C 6D 3D 22 63 6F 6D 70 75 74 65 72 20  realm="computer
64 6F 63 22 0D 0A 4B 65 65 70 2D 41 6C 69 76 65  doc"..Keep-Alive
3A 20 74 69 6D 65 6F 75 74 3D 31 35 2C 20 6D 61  : timeout=15, ma
78 3D 39 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E  x=96..Connection
3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 54 72  : Keep-Alive..Tr
61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A  ansfer-Encoding:
20 63 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E   chunked..Conten
74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D  t-Type: text/htm
6C 3B 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38  l; charset=iso-8
38 35 39 2D 31 0D 0A 0D 0A 31 64 36 0D 0A 3C 21  859-1....1d6..<!
44 4F 43 54 59 50 45 20 48 54 4D 4C 20 50 55 42  DOCTYPE HTML PUB
4C 49 43 20 22 2D 2F 2F 49 45 54 46 2F 2F 44 54  LIC "-//IETF//DT
44 20 48 54 4D 4C 20 32 2E 30 2F 2F 45 4E 22 3E  D HTML 2.0//EN">
0A 3C 48 54 4D 4C 3E 3C 48 45 41 44 3E 0A 3C 54  .<HTML><HEAD>.<T
49 54 4C 45 3E 34 30 31 20 41 75 74 68 6F 72 69  ITLE>401 Authori
7A 61 74 69 6F 6E 20 52 65 71 75 69 72 65 64 3C  zation Required<
2F 54 49 54 4C 45 3E 0A 3C 2F 48 45 41 44 3E 3C  /TITLE>.</HEAD><
42 4F 44 59 3E 0A 3C 48 31 3E 41 75 74 68 6F 72  BODY>.<H1>Author
69 7A 61 74 69 6F 6E 20 52 65 71 75 69 72 65 64  ization Required
3C 2F 48 31 3E 0A 54 68 69 73 20 73 65 72 76 65  </H1>.This serve
72 20 63 6F 75 6C 64 20 6E 6F 74 20 76 65 72 69  r could not veri
66 79 20 74 68 61 74 20 79 6F 75 0A 61 72 65 20  fy that you.are
61 75 74 68 6F 72 69 7A 65 64 20 74 6F 20 61 63  authorized to ac
63 65 73 73 20 74 68 65 20 64 6F 63 75 6D 65 6E  cess the documen
74 0A 72 65 71 75 65 73 74 65 64 2E 20 20 45 69  t.requested.  Ei
74 68 65 72 20 79 6F 75 20 73 75 70 70 6C 69 65  ther you supplie
64 20 74 68 65 20 77 72 6F 6E 67 0A 63 72 65 64  d the wrong.cred
65 6E 74 69 61 6C 73 20 28 65 2E 67 2E 2C 20 62  entials (e.g., b
61 64 20 70 61 73 73 77 6F 72 64 29 2C 20 6F 72  ad password), or
20 79 6F 75 72 0A 62 72 6F 77 73 65 72 20 64 6F   your.browser do
65 73 6E 27 74 20 75 6E 64 65 72 73 74 61 6E 64  esn't understand
20 68 6F 77 20 74 6F 20 73 75 70 70 6C 79 0A 74   how to supply.t
68 65 20 63 72 65 64 65 6E 74 69 61 6C 73 20 72  he credentials r
65 71 75 69 72 65 64 2E 3C 50 3E 0A 3C 48 52 3E  equired.<P>.<HR>
0A 3C 41 44 44 52 45 53 53 3E 41 70 61 63 68 65  .<ADDRESS>Apache
2F 31 2E 33 2E 31 32 20 53 65 72 76 65 72 20 61  /1.3.12 Server a
74 20 77 77 77 2E 73 74 65 76 65 6E 34 75 2E 6E  t www.steven4u.n
65 74 20 50 6F 72 74 20 38 30 3C 2F 41 44 44 52  et Port 80</ADDR
45 53 53 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F 48 54  ESS>.</BODY></HT
4D 4C 3E 0A 0D 0A 30 0D 0A 0D 0A                 ML>...0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:13:56.313746 0:60:97:2E:7:B8 -> 52:54:4C:29:40:68 type:0x800
len:0x42
192.168.1.1:2636 -> 61.142.75.69:80 TCP TTL:128 TOS:0x0 ID:60909
IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2B30358F  Ack: 0xA8389322  Win: 0xFAF0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 102038 35769017

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:14:00.215903 0:60:97:2E:7:B8 -> 52:54:4C:29:40:68 type:0x800
len:0x1FE
192.168.1.1:2637 -> 61.142.75.69:80 TCP TTL:128 TOS:0x0 ID:60910
IpLen:20 DgmLen:496 DF
***AP*** Seq: 0x2B31202A  Ack: 0xA8367DAD  Win: 0xFA72  TcpLen: 32
TCP Options (3) => NOP NOP TS: 102076 35768581
47 45 54 20 2F 64 6F 63 75 6D 65 6E 74 61 74 69  GET /documentati
6F 6E 2F 63 6F 6D 70 75 74 65 72 2F 20 48 54 54  on/computer/ HTT
50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 69  P/1.1..Accept: i
6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 65 2F  mage/gif, image/
78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 67 65  x-xbitmap, image
2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 6A 70  /jpeg, image/pjp
65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F  eg, application/
76 6E 64 2E 6D 73 2D 70 6F 77 65 72 70 6F 69 6E  vnd.ms-powerpoin
74 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76  t, application/v
6E 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61 70 70  nd.ms-excel, app
6C 69 63 61 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C  lication/msword,
20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68   */*..Referer: h
74 74 70 3A 2F 2F 77 77 77 2E 73 74 65 76 65 6E  ttp://www.steven
34 75 2E 6E 65 74 2F 64 6F 63 75 6D 65 6E 74 61  4u.net/documenta
74 69 6F 6E 2F 0D 0A 41 63 63 65 70 74 2D 4C 61  tion/..Accept-La
6E 67 75 61 67 65 3A 20 7A 68 2D 63 6E 0D 0A 41  nguage: zh-cn..A
63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20  ccept-Encoding:
67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55  gzip, deflate..U
73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C  ser-Agent: Mozil
6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62  la/4.0 (compatib
6C 65 3B 20 4D 53 49 45 20 35 2E 35 3B 20 57 69  le; MSIE 5.5; Wi
6E 64 6F 77 73 20 4E 54 20 35 2E 30 29 0D 0A 48  ndows NT 5.0)..H
6F 73 74 3A 20 77 77 77 2E 73 74 65 76 65 6E 34  ost: www.steven4
75 2E 6E 65 74 0D 0A 43 6F 6E 6E 65 63 74 69 6F  u.net..Connectio
6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 41  n: Keep-Alive..A
75 74 68 6F 72 69 7A 61 74 69 6F 6E 3A 20 42 61  uthorization: Ba
73 69 63 20 62 57 39 75 5A 58 6B 36 5A 32 39 76  sic bW9uZXk6Z29v
5A 47 4A 35 5A 51 3D 3D 0D 0A 0D 0A              ZGJ5ZQ==....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:14:00.235842 52:54:4C:29:40:68 -> 0:60:97:2E:7:B8 type:0x800
len:0x42
61.142.75.69:80 -> 192.168.1.1:2637 TCP TTL:64 TOS:0x0 ID:8704 IpLen:20
DgmLen:52 DF
***A**** Seq: 0xA8367DAD  Ack: 0x2B3121E6  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 35769424 102076

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:14:00.265702 52:54:4C:29:40:68 -> 0:60:97:2E:7:B8 type:0x800
len:0x4BC
61.142.75.69:80 -> 192.168.1.1:2637 TCP TTL:64 TOS:0x0 ID:8705 IpLen:20
DgmLen:1198 DF
***AP*** Seq: 0xA8367DAD  Ack: 0x2B3121E6  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 35769426 102076
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 53 61 74 2C 20 33 30 20 4A  .Date: Sat, 30 J
75 6E 20 32 30 30 31 20 32 30 3A 31 34 3A 30 30  un 2001 20:14:00
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 2F 31 2E 33 2E 31 32 20 28 55 6E 69  ache/1.3.12 (Uni
78 29 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20  x)..Keep-Alive:
74 69 6D 65 6F 75 74 3D 31 35 2C 20 6D 61 78 3D  timeout=15, max=
39 39 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20  99..Connection:
4B 65 65 70 2D 41 6C 69 76 65 0D 0A 54 72 61 6E  Keep-Alive..Tran
73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63  sfer-Encoding: c
68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E 74 2D  hunked..Content-
54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D  Type: text/html.
0A 0D 0A 33 61 62 0D 0A 3C 21 44 4F 43 54 59 50  ...3ab..<!DOCTYP
45 20 48 54 4D 4C 20 50 55 42 4C 49 43 20 22 2D  E HTML PUBLIC "-
2F 2F 57 33 43 2F 2F 44 54 44 20 48 54 4D 4C 20  //W3C//DTD HTML
33 2E 32 20 46 69 6E 61 6C 2F 2F 45 4E 22 3E 0A  3.2 Final//EN">.
3C 48 54 4D 4C 3E 0A 20 3C 48 45 41 44 3E 0A 20  <HTML>. <HEAD>.
20 3C 54 49 54 4C 45 3E 49 6E 64 65 78 20 6F 66   <TITLE>Index of
20 2F 64 6F 63 75 6D 65 6E 74 61 74 69 6F 6E 2F   /documentation/
63 6F 6D 70 75 74 65 72 3C 2F 54 49 54 4C 45 3E  computer</TITLE>
0A 20 3C 2F 48 45 41 44 3E 0A 20 3C 42 4F 44 59  . </HEAD>. <BODY
3E 0A 3C 48 31 3E 49 6E 64 65 78 20 6F 66 20 2F  >.<H1>Index of /
64 6F 63 75 6D 65 6E 74 61 74 69 6F 6E 2F 63 6F  documentation/co
6D 70 75 74 65 72 3C 2F 48 31 3E 0A 3C 50 52 45  mputer</H1>.<PRE
3E 3C 49 4D 47 20 53 52 43 3D 22 2F 69 63 6F 6E  ><IMG SRC="/icon
73 2F 62 6C 61 6E 6B 2E 67 69 66 22 20 41 4C 54  s/blank.gif" ALT
3D 22 20 20 20 20 20 22 3E 20 3C 41 20 48 52 45  ="     "> <A HRE
46 3D 22 3F 4E 3D 44 22 3E 4E 61 6D 65 3C 2F 41  F="?N=D">Name</A
3E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20  >
20 20 20 20 20 3C 41 20 48 52 45 46 3D 22 3F 4D       <A HREF="?M
3D 41 22 3E 4C 61 73 74 20 6D 6F 64 69 66 69 65  =A">Last modifie
64 3C 2F 41 3E 20 20 20 20 20 20 20 3C 41 20 48  d</A>       <A H
52 45 46 3D 22 3F 53 3D 41 22 3E 53 69 7A 65 3C  REF="?S=A">Size<
2F 41 3E 20 20 3C 41 20 48 52 45 46 3D 22 3F 44  /A>  <A HREF="?D
3D 41 22 3E 44 65 73 63 72 69 70 74 69 6F 6E 3C  =A">Description<
2F 41 3E 0A 3C 48 52 3E 0A 3C 49 4D 47 20 53 52  /A>.<HR>.<IMG SR
43 3D 22 2F 69 63 6F 6E 73 2F 62 61 63 6B 2E 67  C="/icons/back.g
69 66 22 20 41 4C 54 3D 22 5B 44 49 52 5D 22 3E  if" ALT="[DIR]">
20 3C 41 20 48 52 45 46 3D 22 2F 64 6F 63 75 6D   <A HREF="/docum
65 6E 74 61 74 69 6F 6E 2F 22 3E 50 61 72 65 6E  entation/">Paren
74 20 44 69 72 65 63 74 6F 72 79 3C 2F 41 3E 20  t Directory</A>
20 20 20 20 20 20 20 32 37 2D 4D 61 79 2D 32 30         27-May-20
30 31 20 31 35 3A 31 33 20 20 20 20 20 20 2D 20  01 15:13      -
20 0A 3C 49 4D 47 20 53 52 43 3D 22 2F 69 63 6F   .<IMG SRC="/ico
6E 73 2F 66 6F 6C 64 65 72 2E 67 69 66 22 20 41  ns/folder.gif" A
4C 54 3D 22 5B 44 49 52 5D 22 3E 20 3C 41 20 48  LT="[DIR]"> <A H
52 45 46 3D 22 68 61 72 64 77 61 72 65 2F 22 3E  REF="hardware/">
68 61 72 64 77 61 72 65 2F 3C 2F 41 3E 20 20 20  hardware/</A>
20 20 20 20 20 20 20 20 20 20 20 20 31 32 2D 4A              12-J
75 6E 2D 32 30 30 31 20 32 33 3A 33 33 20 20 20  un-2001 23:33
20 20 20 2D 20 20 0A 3C 49 4D 47 20 53 52 43 3D     -  .<IMG SRC=
22 2F 69 63 6F 6E 73 2F 66 6F 6C 64 65 72 2E 67  "/icons/folder.g
69 66 22 20 41 4C 54 3D 22 5B 44 49 52 5D 22 3E  if" ALT="[DIR]">
20 3C 41 20 48 52 45 46 3D 22 73 6F 66 74 77 61   <A HREF="softwa
72 65 2F 22 3E 73 6F 66 74 77 61 72 65 2F 3C 2F  re/">software/</
41 3E 20 20 20 20 20 20 20 20 20 20 20 20 20 20  A>
20 32 38 2D 4A 75 6E 2D 32 30 30 31 20 32 33 3A   28-Jun-2001 23:
33 30 20 20 20 20 20 20 2D 20 20 0A 3C 49 4D 47  30      -  .<IMG
20 53 52 43 3D 22 2F 69 63 6F 6E 73 2F 66 6F 6C   SRC="/icons/fol
64 65 72 2E 67 69 66 22 20 41 4C 54 3D 22 5B 44  der.gif" ALT="[D
49 52 5D 22 3E 20 3C 41 20 48 52 45 46 3D 22 75  IR]"> <A HREF="u
6E 63 6C 61 73 73 69 66 69 65 64 2F 22 3E 75 6E  nclassified/">un
63 6C 61 73 73 69 66 69 65 64 2F 3C 2F 41 3E 20  classified/</A>
20 20 20 20 20 20 20 20 20 20 32 38 2D 4A 75 6E            28-Jun
2D 32 30 30 31 20 31 38 3A 33 39 20 20 20 20 20  -2001 18:39
20 2D 20 20 0A 3C 2F 50 52 45 3E 3C 48 52 3E 0A   -  .</PRE><HR>.
3C 41 44 44 52 45 53 53 3E 41 70 61 63 68 65 2F  <ADDRESS>Apache/
31 2E 33 2E 31 32 20 53 65 72 76 65 72 20 61 74  1.3.12 Server at
20 77 77 77 2E 73 74 65 76 65 6E 34 75 2E 6E 65   www.steven4u.ne
74 20 50 6F 72 74 20 38 30 3C 2F 41 44 44 52 45  t Port 80</ADDRE
53 53 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F 48 54 4D  SS>.</BODY></HTM
4C 3E 0A 0D 0A 30 0D 0A 0D 0A                    L>...0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:14:00.420070 0:60:97:2E:7:B8 -> 52:54:4C:29:40:68 type:0x800
len:0x42
192.168.1.1:2637 -> 61.142.75.69:80 TCP TTL:128 TOS:0x0 ID:60912
IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2B3121E6  Ack: 0xA8368227  Win: 0xFAF0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 102079 35769426

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

===============================================================================

Snort processed 7 packets.
Breakdown by protocol:                Action Stats:

    TCP: 7          (100.000%)         ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================

Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
===============================================================================

TCP Stream Reassembly Stats:
   TCP Packets Used:      0          (0.000%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 0
===============================================================================

Does this means snort lost some packets?  Please anyone here helps me.
Thanks in advance.

-
steven

tel:     +86 760 8320102
rfc-822: steven () steven4u net

       \|||/
       (o o)
----ooO-(_)-Ooo--------
If money could talk, it would say - goodbye

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
-
steven

tel:     +86 760 8320102
rfc-822: steven () steven4u net

       \|||/
       (o o)
----ooO-(_)-Ooo--------
If money could talk, it would say - goodbye



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: