Re: Weird double logging problem

[Joel Esler <jesler () sourcefire com>]

I am betting that you are mirroring two ports to Snort.  One port is being mirrored to Snort has the computer you are 
doing the wget on, and you are also mirroring the uplink port?

Just throwing that out there.



On Oct 19, 2011, at 10:17 AM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello again all...
>
> On 19/10/2011 13:51, Peter Bates wrote:
> > I'm running tcpdump on the 'wget' client machine and I can only
> > see one request.
>
> The 'duplicated' alerts:
> 15:00:06.591083 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags
> [P.], seq 6346543:6346668, ack 3781864103, win 92, options [nop,nop,TS
> val 2612833771 ecr 2294067111], length 125
>
> 15:00:06.591101 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags
> [P.], seq 0:125, ack 1, win 92, options [nop,nop,TS val 2612833771 ecr
> 2294067111], length 125
>
> when I load the capture into Wireshark the appearance of 'TCP
> Retransmission' makes this a lot clearer - Snort is logging twice
> because the packets are being retransmitted.
>
> I probably need to go to packet capture 101.
>
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division     Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOntvjAAoJELhVoVpEMS6RhxwH/2qx1KhXPBKQP9ByL4EwWMBj
> FXNvLJEeh2mVM/jHDsRce4AWArI1G9jDOe0eNuKeJxRQ6MOohJVBnlEoBr1uPcla
> Rv6C/Wh8rWpBFyV9EPv+E8ia9/Pmo6TuBQXI2I4koi/kfqq2ReOyJfdcnLS++cVN
> nhz+VHlRrim2HIDwL0ha9eBMNfy1PIai6iC6kHeS2SO8bCdteFMcrMXpJ8+GNBes
> PIwH1ioXkQFhrerm2VnP0+OaXRy2+vdmJZhaeRT+ueip5UJOzKlJ588kcjHrDPjk
> NKvCvWPqOzt8Fr/VMSCS/tklSCoQdQSsESKMispPwBIJVbNoCfJYICKvHhmSygc=
> =QKe1
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!