Snort mailing list archives
Re: Why can't I see tcp flags for a triggered alert (snort+base)
From: Joel Esler <eslerj () gmail com>
Date: Wed, 21 Jan 2009 09:04:47 -0500
Flags in a TCP packet are recorded. Can you post your snort.conf, command line start up, rule, and even a pcap ? Joel On Jan 21, 2009, at 6:05 AM, John Huss allegedly wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I've been trying to create my first Snort rule and then trigger it and was wondering if any kind people could give me some advice. I've been able to trigger the basic version of the rule and can see it displaying in Base. However in the next step I'll be making the rule more complex. Currently when I click on the triggered alert and look at the tcp options, I can see it is filling in the source port and dest port fields no problem. But specifically I'm expecting to see SYN and ACK fields with a value in them - and I am not. i.e I'd like to look at the page and see that the particular attack is using a SYN and not an ACK type thing etc. Is there something I have to do to enable it/fix it to display the SYN and ACK flags settings of the my alert that has flagged? Not sure what other information you might need to help diagnose this problem - please let me know and I'll happily provide it. Looking at the mysql tcphdr table I see lots of entries with NULL enties like so: | 1 | 8647 | 58996 | 22 | NULL | NULL | NULL | NULL | 0 | NULL | NULL | NULL | Should the SYN/ACK status be being recorded here? Do I need to enable another pre-processor or 'include' directive to get the SYN,ACK flags to be recorded? Sorry for all the questions! Cheers, Johnny -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl3AZUACgkQ3CnaOmsSwV8gTACcDDQVmENSfp/R9TQX8Pjna712 FOkAnRPUmH8z3I5RfC3P0vTsiZG5l8Z8 =vOG+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler http://www.joelesler.net http://www.twitter.com/joelesler [m] ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) pieter claassen (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Shirk Dog (Jan 22)