Re: Content Match

["Al Lewis (allewi)" <allewi () cisco com>]

Based on the pcap you provided the content shows up in both packets. It looks like snort saw the retransmission and 
alerted on the duplicate.


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Mark Greenman [mailto:mark.greenman.014 () gmail com]
Sent: Saturday, January 31, 2015 9:51 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Content Match

Hi. Do you know why snort creates two alerts for one content match?
I am using the following rule for content match:

alert tcp any any -> any any (msg:"Hit!"; content:"Tree"; sid:1000001;)
The file which is requeste using HTTP and the logs created by snort in a pcap file are attached to this email.
Thanks

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!