Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Weird double logging problem

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 19 Oct 2011 15:17:07 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello again all...

On 19/10/2011 13:51, Peter Bates wrote:

I'm running tcpdump on the 'wget' client machine and I can only
see one request.


The 'duplicated' alerts:
15:00:06.591083 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags
[P.], seq 6346543:6346668, ack 3781864103, win 92, options [nop,nop,TS
val 2612833771 ecr 2294067111], length 125

15:00:06.591101 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags
[P.], seq 0:125, ack 1, win 92, options [nop,nop,TS val 2612833771 ecr
2294067111], length 125

when I load the capture into Wireshark the appearance of 'TCP
Retransmission' makes this a lot clearer - Snort is logging twice
because the packets are being retransmitted.

I probably need to go to packet capture 101.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOntvjAAoJELhVoVpEMS6RhxwH/2qx1KhXPBKQP9ByL4EwWMBj
FXNvLJEeh2mVM/jHDsRce4AWArI1G9jDOe0eNuKeJxRQ6MOohJVBnlEoBr1uPcla
Rv6C/Wh8rWpBFyV9EPv+E8ia9/Pmo6TuBQXI2I4koi/kfqq2ReOyJfdcnLS++cVN
nhz+VHlRrim2HIDwL0ha9eBMNfy1PIai6iC6kHeS2SO8bCdteFMcrMXpJ8+GNBes
PIwH1ioXkQFhrerm2VnP0+OaXRy2+vdmJZhaeRT+ueip5UJOzKlJ588kcjHrDPjk
NKvCvWPqOzt8Fr/VMSCS/tklSCoQdQSsESKMispPwBIJVbNoCfJYICKvHhmSygc=
=QKe1
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: