Snort mailing list archives
Re: Snort packet sequence numbers remain constant
From: Shankar Narayan <keshi8086 () gmail com>
Date: Thu, 6 Dec 2012 15:55:47 -0800
Cool. Thanks! Tried it out. Makes more sense now. However isn't this a bit non-intuitive? The alert shows up for the same stream multiple times with no change in properties. Is there a way to suppress this such that I can be alerted only when the entire data has been received or transmitted? Like detecting an EOF in addition to the existing rule to detect EXEs should throw up just a single alert statement right? This in turn leads me to another question: Is there a nice way to extract files from packet capture in snort while its configured inline? There are many data carving modules out there which analyse on pcap dumps but I was wondering if it'd be a cool feature to have within snort as an additional module. Thanks, --keshi On Thu, Dec 6, 2012 at 10:19 AM, Russ Combs <rcombs () sourcefire com> wrote:
Snort logs the packet or packets that triggered the alert, using the sequence and ack numbers therein. Although your content may match different raw packets, you may actually be alerting on the same stream5 reassembled packet. Try using: stream5_global: show_rebuilt_packets and / or snort -A cmg to see where you are alerting. If it still isn't clear, send a pcap and conf and we'll take a look. Russ On Wed, Dec 5, 2012 at 5:30 PM, Shankar Narayan <keshi8086 () gmail com>wrote:Hi, I am new to snort and I have been playing around with rules to be able to detect exe files coming through the network. One of the things I noticed when I added my rules was that the sequence number that showed up on all the alert logs were the same. The same was the case for ACKs too. This seems odd as for subsequent packets of the exe download I get the alert with the same tcp seq number and ack! How does the sequence number and ACK number thrown out by the alert logs differ from the one inside the tcp header? Any pointers on what's exactly happening? Thanks, - keshi ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
-- *KESHY* *Real Name: Krishnan Shankar Narayan * *"So let it be written, So let it be done!" *
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort packet sequence numbers remain constant Shankar Narayan (Dec 06)
- Re: Snort packet sequence numbers remain constant Russ Combs (Dec 06)
- Re: Snort packet sequence numbers remain constant Shankar Narayan (Dec 07)
- Re: Snort packet sequence numbers remain constant Russ Combs (Dec 06)