Snort mailing list archives

Re: Odp: Re: Odp: Re: Odp: RE: React option doesn't work

From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Fri, 27 Mar 2015 21:08:40 +0000

Thanks, this is an issue we are aware of. There should be a fix in the
next release.
 
On 3/27/15, 4:00 PM, "Robert Lasota" <wrkilu () wp pl> wrote:

Dnia Piątek, 27 Marca 2015 20:24 Carter Waxman (cwaxman)
<cwaxman () cisco com> napisał(a)

Can you check the connection with tcpdump from between Snort and the
client? Do you see a FIN for the http session.


No, no FIN.

I'm testing on client computer (10.192.1.91) address wp.pl/d.php and
tcpdump on router shows:
19:56:27.918239 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [S],
seq 3915938431, win 14600, options [mss 1460,sackOK,TS val 344834610 ecr
0,nop,wscale 7], length 0
19:56:28.033642 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [S.],
seq 2878190590, ack 3915938432, win 14600, options [mss
1460,nop,nop,sackOK,nop,wscale 9], length 0
19:56:28.033992 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [.],
ack 1, win 115, length 0
19:56:28.034072 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:28.034365 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [R.],
seq 192, ack 1000, win 0, length 0
19:56:28.034721 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [.],
ack 1, win 115, length 0
19:56:28.382534 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:28.731704 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:29.429504 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:30.823519 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:33.611530 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:33.611682 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [R.],
seq 1, ack 1000, win 0, length 0
19:56:33.612422 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [S],
seq 2069103655, win 14600, options [mss 1460,sackOK,TS val 344840304 ecr
0,nop,wscale 7], length 0
19:56:33.725269 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [S.],
seq 2148213734, ack 2069103656, win 14600, options [mss
1460,nop,nop,sackOK,nop,wscale 9], length 0
19:56:33.725751 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [.],
ack 1, win 115, length 0
19:56:33.725843 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:33.726170 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [R.],
seq 192, ack 1000, win 0, length 0
19:56:33.726576 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [.],
ack 1, win 115, length 0
19:56:34.068555 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:34.411693 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:35.097507 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:36.467547 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:39.211591 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
seq 1:1000, ack 1, win 115, length 999
19:56:39.211695 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [R.],
seq 1, ack 1000, win 0, length 0

thats all



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Odp: Re: Odp: Re: Odp: RE: React option doesn't work Robert Lasota (Mar 27)
- <Possible follow-ups>
- Odp: Re: Odp: Re: Odp: RE: React option doesn't work Robert Lasota (Mar 27)
- Re: Odp: Re: Odp: Re: Odp: RE: React option doesn't work Carter Waxman (cwaxman) (Mar 27)