Re: What wins? TCP headers or packet contents?

[Erek Adams <erek () theadamsfamily net>]

[added snort-dev to the cc list]

On Tue, 10 Sep 2002, John Sage wrote:

> Let me bring the question up to the top:
>
> > So the question for the snort list is:
>
> > What wins:
>
> > TCP header stuff: i.e. the destination port,
>
> > or,
>
> > Packet contents stuff: i.e. a hex series within the payload of a
> > packet, but with no match on destination port?
>
> <snip>
>
>
> Executive summary:
>
> Twice (once real-time, once on replay against a binary log file) I
> have packets matching an rpc.rules by content (a hex sequence) but not
> by the destination port stated in the rule.


[...snip...]

Damn you John.  I haven't had enough coffee yet for questions like this.  ;-)

Unless I'm wrong, I think the answer is here:

        http://www.snort.org/docs/faq.html#3.13

> From what I read and see in the illustration, the headers start the RTN, and
then the content and other things are placed in the OTN.  That seems to imply
that the headers would 'win' over the content.

Everything you show seems to say that's not the case.  Out of curiosity, do
you still have the pcap of that packet?

Something's not right...  Any coders have an idea?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




-------------------------------------------------------
In remembrance
www.osdn.com/911/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users