Snort mailing list archives
Re: application layer data
From: Matt Kettler <mkettler () evi-inc com>
Date: Sat, 02 Mar 2002 18:24:24 -0500
The example packet you provided has no application layer data in it to be logged, so it is not surprising that there is no data logged :)
The packet is a tcp reset packet, the IP layer length is 20 bytes.. a minimal TCP header is 20 bytes long, leaving exactly 0 bytes available for this packet to carry application layer data.
Can you select a packet which does have application layer data in it for your example?
(fyi, pretty much all tcp stacks generate syn, synack, fin, finack and reset packets with no application data)
At 01:27 PM 3/2/2002 -0600, Benjamin Collins wrote:
I am running snort 1.8.3 on a RedHat 7.2 (2.4.10-7) machine. I am trying to log all the data from TCP packets that match certain rules, but it's not working. I know the packets are matching the rules, because the correct alerts are being generated, but the full packets are nowhere to be found. In the config file, I am using the 'config dump_payload' directive, and in the command used to start snort I am using the -d option. Some information is being logged into directories named after ip addresses, but I don't think they are complete packets -- for example: Here's an alert generated by a rule I wrote: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/23-17:25:53.148618 10.1.1.6:4569 -> 172.16.1.12:23 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:40 DF *****R** Seq: 0xFA54EC12 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ Yet in the /var/log/snort/10.1.1.6/ directory, there is no TCP:4569-23 file, and even in the files that are in there, there is no application data; they look just like the above alert. Anyone know what might be going on? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- application layer data Benjamin Collins (Mar 02)
- Re: application layer data Matt Kettler (Mar 02)
- Re: application layer data John Sage (Mar 02)