Re: Snort packet sequence numbers remain constant

[Shankar Narayan <keshi8086 () gmail com>]

Cool. Thanks!

Tried it out. Makes more sense now. However isn't this a bit non-intuitive?
The alert shows up for the same stream multiple times with no change in
properties. Is there a way to suppress this such that I can be alerted only
when the entire data has been received or transmitted? Like detecting an
EOF in addition to the existing rule to detect EXEs should throw up just a
single alert statement right?

This in turn leads me to another question:
Is there a nice way to extract files from packet capture in snort while its
configured inline? There are many data carving modules out there which
analyse on pcap dumps but I was wondering if it'd be a cool feature to have
within snort as an additional module.

Thanks,
--keshi


On Thu, Dec 6, 2012 at 10:19 AM, Russ Combs <rcombs () sourcefire com> wrote:

> Snort logs the packet or packets that triggered the alert, using the
> sequence and ack numbers therein.
>
> Although your content may match different raw packets, you may actually be
> alerting on the same stream5 reassembled packet.  Try using:
>
> stream5_global: show_rebuilt_packets
>
> and / or snort -A cmg to see where you are alerting.  If it still isn't
> clear, send a pcap and conf and we'll take a look.
>
> Russ
>
> On Wed, Dec 5, 2012 at 5:30 PM, Shankar Narayan <keshi8086 () gmail com>wrote:
>
> > Hi,
> >
> > I am new to snort and I have been playing around with rules to be able to
> > detect exe files coming through the network.
> >
> > One of the things I noticed when I added my rules was that the sequence
> > number that showed up on all the alert logs were the same. The same was the
> > case for ACKs too.
> >
> > This seems odd as for subsequent packets of the exe download I get the
> > alert with the same tcp seq number and ack!
> >
> > How does the sequence number and ACK number thrown out by the alert logs
> > differ from the one inside the tcp header?
> >
> > Any pointers on what's exactly happening?
> >
> > Thanks,
> > - keshi
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> > Remotely access PCs and mobile devices and provide instant support
> > Improve your efficiency, and focus on delivering more value-add services
> > Discover what IT Professionals Know. Rescue delivers
> > http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!


-- 
*KESHY*
*Real Name: Krishnan Shankar Narayan

*
*"So let it be written, So let it be done!" *

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!