Snort mailing list archives

RE: uricontent option in 1.9 vs 1.8.6

From: David Gordon <dgordon () mmwec org>
Date: Wed, 26 Feb 2003 11:45:15 -0500

Erek,

If you have it, could you post (or private email) a full 
packet dump of
the packet that's triggering/not triggering the alert?

Cheers!

-----
Erek Adams


This may be relevant...

I'm running snort against tcpdump output which used the tcpdump default
snaplen, so maybe snort is not seeing everything it needs to see.

So the following are dumps of two packet. As you can see the GET is in the
previous packet. As I understand it, http_decode should combine the packets
before the uricontent rule is applied. But maybe it still doesn't meet the
criteria for URI content.

Here are the two "full" dumps - as much as tcpdump captured:

02/16-02:18:38.449176 217.234.56.78:3306 -> 123.456.78.90:80
TCP TTL:112 TOS:0x0 ID:43758 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0xAEAD871F  Ack: 0xB2DB3D32  Win: 0x4410  TcpLen: 20
GET 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-02:18:38.582833 217.234.56.78:3306 -> 123.456.78.90:80
TCP TTL:112 TOS:0x0 ID:43759 IpLen:20 DgmLen:1492 DF
***AP*** Seq: 0xAEAD8723  Ack: 0xB2DB3D32  Win: 0x4410  TcpLen: 20
/default.ida?N
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I'm emailing you the tcpdump file filtered on only the client IP address
(it's small - only 17 packets in the whole exchange). Maybe there is more
information in it that will make sense to you. 

Thanks for the explanation of URI content. I hadn't noticed the link to the
RFC that Joe had directed me to.

David



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: uricontent option in 1.9 vs 1.8.6, (continued)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)
  - Advice from the experts Mike Koponick (Feb 25)
    - Re: Advice from the experts twig les (Feb 26)
  - Re: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
  - Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
    - Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
  - RE: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
  - Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
  - Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)