Snort mailing list archives

Re: Anomalous packet logged by Snort

From: Chris Green <cmg () sourcefire com>
Date: Mon, 08 Apr 2002 14:58:16 -0400

But, I do see at least one other instance of what appears to me to be a 
badly logged packet:

Packet 28
TIME:   06:11:22.416966
  IP:   65.93.233.121 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=166

id=0000

        MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000
 TCP:   port 2590 -> 21 seq=1606071884 ack=3755518533
        hlen=20 (data=126) UAPRSF=011000 wnd=5840 cksum=0000 urg=0
DATA:   8/231/src203.148PASS Ogpuser () home com.
        CWD /pub/.
        MKD 020403080801p.
        CWD /public/incoming/.
        CWD /incoming/.
        CWD /pub/incoming/


Artifact of TCP stream reassembly.  Yes it's goofy.  We're working on
making it less so.
-- 
Chris Green <cmg () sourcefire com>
"I'm beginning to think that my router may be confused."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
  - Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
    - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
  - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)