Snort mailing list archives
Re: Weird double logging problem
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 19 Oct 2011 12:59:30 -0400
I am betting that you are mirroring two ports to Snort. One port is being mirrored to Snort has the computer you are doing the wget on, and you are also mirroring the uplink port? Just throwing that out there. On Oct 19, 2011, at 10:17 AM, Peter Bates wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello again all... On 19/10/2011 13:51, Peter Bates wrote:I'm running tcpdump on the 'wget' client machine and I can only see one request.The 'duplicated' alerts: 15:00:06.591083 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags [P.], seq 6346543:6346668, ack 3781864103, win 92, options [nop,nop,TS val 2612833771 ecr 2294067111], length 125 15:00:06.591101 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags [P.], seq 0:125, ack 1, win 92, options [nop,nop,TS val 2612833771 ecr 2294067111], length 125 when I load the capture into Wireshark the appearance of 'TCP Retransmission' makes this a lot clearer - Snort is logging twice because the packets are being retransmitted. I probably need to go to packet capture 101. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOntvjAAoJELhVoVpEMS6RhxwH/2qx1KhXPBKQP9ByL4EwWMBj FXNvLJEeh2mVM/jHDsRce4AWArI1G9jDOe0eNuKeJxRQ6MOohJVBnlEoBr1uPcla Rv6C/Wh8rWpBFyV9EPv+E8ia9/Pmo6TuBQXI2I4koi/kfqq2ReOyJfdcnLS++cVN nhz+VHlRrim2HIDwL0ha9eBMNfy1PIai6iC6kHeS2SO8bCdteFMcrMXpJ8+GNBes PIwH1ioXkQFhrerm2VnP0+OaXRy2+vdmJZhaeRT+ueip5UJOzKlJ588kcjHrDPjk NKvCvWPqOzt8Fr/VMSCS/tklSCoQdQSsESKMispPwBIJVbNoCfJYICKvHhmSygc= =QKe1 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Jason Wallace (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Joel Esler (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Jason Wallace (Oct 19)