Snort mailing list archives
Re: Snort Timestamps Out of Sequence
From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 6 May 2019 13:44:04 +0000
Hey Alan, My "off the cuff" theory, without looking at your Snort configuration and requesting a full traffic reassembly is that something was holding the connection open (for 7 minutes) (keep-alive?) and Snort is reassembling the HTTP session in the background into what we call a "pseudo" packet. A large reassembled stream. That's what your rule alerted on, and should have logged it to disk. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com On May 6, 2019, at 9:16 AM, ROTNEMER, ALAN H <ar435f () att com<mailto:ar435f () att com>> wrote: Is there some explanation as to why the alert took over 7 minutes to publish? Could Snort be waiting on anything in order to complete the alert?
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (Apr 17)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (Apr 17)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 06)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 06)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 23)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
- Re: Snort Timestamps Out of Sequence Russ via Snort-devel (May 25)
- Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 06)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (Apr 17)