Snort mailing list archives
RE: Snort rule triggered an alert, but why?
From: C.Prickaerts () UB unimaas nl
Date: Sun, 8 Dec 2002 17:56:59 +0100
Hi Chris, Perhaps I have been crying wolf too soon... I suddenly realized that I did not alter the default snaplength of TCPdump, so that what triggered snort could be there, but I wasn't capturing it.. Duh. Cheers, Chris -----Original Message----- From: Chris Green [mailto:cmg () sourcefire com] Sent: donderdag 5 december 2002 22:09 To: C.Prickaerts () UB unimaas nl Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rule triggered an alert, but why? C.Prickaerts () UB unimaas nl writes:
Hi Chris, But what was the attack ? The rule says it looks at repeated 43 content. But I failed to spot them in the dumplog.
It was a packet that went by that didn't match your homenet variable but was already alerted on. Please try to reproduce it with current sources. Thanks -- Chris Green <cmg () sourcefire com> Fame may be fleeting but obscurity is forever. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule triggered an alert, but why? C . Prickaerts (Dec 05)
- Re: Snort rule triggered an alert, but why? Chris Green (Dec 05)
- <Possible follow-ups>
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 05)
- Re: Snort rule triggered an alert, but why? Chris Green (Dec 05)
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 06)
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 08)