Snort mailing list archives
Re: [Snort-devel] Re: What wins? TCP headers or packet contents?
From: John Sage <jsage () finchhaven com>
Date: Wed, 11 Sep 2002 11:52:08 -0700
On Wed, Sep 11, 2002 at 11:17:13AM -0700, Erek Adams wrote:
[added snort-dev to the cc list] On Tue, 10 Sep 2002, John Sage wrote:Let me bring the question up to the top:
<snip-en-mass> Another odd thing: when I replay the original binary log file that contains these packets, other detects in that binary log cause the alert-based directory structure described as: "...If you just specify a plain "-l" switch, you may notice that Snort sometimes uses the address of the remote computer the directory in which it places packets..." but the source IP for the packets in question is not one of the directories created, even though the packets fire the rstatd rule: <snip> drwxr-xr-x 7 jsage jsage 4096 Sep 10 21:28 . drwxr-xr-x 494 jsage jsage 8192 Sep 2 08:12 .. drwx---r-x 2 jsage jsage 4096 Sep 10 21:28 12.122.253.237 drwx---r-x 2 jsage jsage 4096 Sep 10 21:28 12.241.44.94 drwx---r-x 2 jsage jsage 4096 Sep 10 21:27 12.82.131.145 drwx---r-x 2 jsage jsage 4096 Sep 10 21:27 61.177.222.139 drwx---r-x 2 jsage jsage 4096 Sep 10 21:28 80.129.95.178 -rw----r-x 1 jsage jsage 100561 Sep 10 21:28 alert187check.full <snip> The command line on replay is (a .bashrc alias): alias snort187check='snort187 -dvX -l . -c \ /usr/local/snort-1.8.7/snort187check.conf -r ' where snort187.conf is identical to my firewall's production snort187.conf, with the exception that it (..187check..) looks at *all* rules, and I set $HOME_NET specifically to that in the log file I'm replaying. The packets in question *are* found in the alert187check.full file... Cool, huh? - John -- "Obviously, we do not want to leave zombies around." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What wins? TCP headers or packet contents? John Sage (Sep 10)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: What wins? TCP headers or packet contents? Chris Green (Sep 12)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 14)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)