Snort mailing list archives
Re: Weird double logging problem
From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 19 Oct 2011 15:17:07 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello again all... On 19/10/2011 13:51, Peter Bates wrote:
I'm running tcpdump on the 'wget' client machine and I can only see one request.
The 'duplicated' alerts: 15:00:06.591083 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags [P.], seq 6346543:6346668, ack 3781864103, win 92, options [nop,nop,TS val 2612833771 ecr 2294067111], length 125 15:00:06.591101 IP 193.60.246.200.46075 > 193.110.88.201.80: Flags [P.], seq 0:125, ack 1, win 92, options [nop,nop,TS val 2612833771 ecr 2294067111], length 125 when I load the capture into Wireshark the appearance of 'TCP Retransmission' makes this a lot clearer - Snort is logging twice because the packets are being retransmitted. I probably need to go to packet capture 101. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOntvjAAoJELhVoVpEMS6RhxwH/2qx1KhXPBKQP9ByL4EwWMBj FXNvLJEeh2mVM/jHDsRce4AWArI1G9jDOe0eNuKeJxRQ6MOohJVBnlEoBr1uPcla Rv6C/Wh8rWpBFyV9EPv+E8ia9/Pmo6TuBQXI2I4koi/kfqq2ReOyJfdcnLS++cVN nhz+VHlRrim2HIDwL0ha9eBMNfy1PIai6iC6kHeS2SO8bCdteFMcrMXpJ8+GNBes PIwH1ioXkQFhrerm2VnP0+OaXRy2+vdmJZhaeRT+ueip5UJOzKlJ588kcjHrDPjk NKvCvWPqOzt8Fr/VMSCS/tklSCoQdQSsESKMispPwBIJVbNoCfJYICKvHhmSygc= =QKe1 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Jason Wallace (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Joel Esler (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Jason Wallace (Oct 19)