Snort mailing list archives

Re: Snort Timestamps Out of Sequence

From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 6 May 2019 13:44:04 +0000

Hey Alan,

My "off the cuff" theory, without looking at your Snort configuration and requesting a full traffic reassembly is that 
something was holding the connection open (for 7 minutes) (keep-alive?) and Snort is reassembling the HTTP session in 
the background into what we call a "pseudo" packet.  A large reassembled stream.  That's what your rule alerted on, and 
should have logged it to disk.




--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

On May 6, 2019, at 9:16 AM, ROTNEMER, ALAN H <ar435f () att com<mailto:ar435f () att com>> wrote:

Is there some explanation as to why the alert took over 7 minutes to publish? Could Snort be waiting on anything in 
order to complete the alert?

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (Apr 17)
- Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (Apr 17)
  - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 06)
    - Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 06)
    - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence Joel Esler (jesler) via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence ROTNEMER, ALAN H via Snort-devel (May 23)
    - Re: Snort Timestamps Out of Sequence Russ via Snort-devel (May 25)