[Snort-devel] Getting lots of hits on sid:1841
r.fulton at ...1343...
Sun Sep 8 09:55:02 EDT 2002
On Thu, 2002-09-05 at 07:11, Chris Green wrote:
> Steve Halligan <giermo at ...269...> writes:
> > Exact same problem here.
> > Lots of falses (I presume) on this rule, no payload logged.
> Hrm, Seems to work atleast on a simplistic test case.
> 09/04-15:06:59.615105 0:3:93:82:C9:B2 -> 0:6:5B:DA:D5:74 type:0x800 len:0x148
> 10.1.1.52:80 -> 10.1.1.72:34939 TCP TTL:64 TOS:0x0 ID:20002 IpLen:20 DgmLen:314 DF
> ***AP*** Seq: 0x8D3E03B4 Ack: 0xC875C8B3 Win: 0x8218 TcpLen: 32
I have done some more work on this now: Brian asked me to run snort
with just that single rule and see what happened. I did this and set
the -b flag and things worked as they should. I sent Brian a tcpdump
file with logged packets and the snort rule file. After this I went
back to running my primary snort with -b and can confirm that I get the
packets logged this way.
However I also use snortsnarf which requires the packet logs in the
default ascii format. So I rerun snort on the binary log file as
recomended in the snortsnarf documentation but the alerts are missing
entirely from the second run.
More information about the Snort-devel