[Snort-devel] Getting lots of hits on sid:1841

Russell Fulton r.fulton at ...1343...
Sun Sep 8 09:55:02 EDT 2002


On Thu, 2002-09-05 at 07:11, Chris Green wrote:
> Steve Halligan <giermo at ...269...> writes:
> 
> > Exact same problem here.
> > Lots of falses (I presume) on this rule, no payload logged.
> 
> 
> 
> Hrm,  Seems to work atleast on a simplistic test case.
> 
> 09/04-15:06:59.615105 0:3:93:82:C9:B2 -> 0:6:5B:DA:D5:74 type:0x800 len:0x148
> 10.1.1.52:80 -> 10.1.1.72:34939 TCP TTL:64 TOS:0x0 ID:20002 IpLen:20 DgmLen:314 DF
> ***AP*** Seq: 0x8D3E03B4  Ack: 0xC875C8B3  Win: 0x8218  TcpLen: 32

I have done some more work on this now:  Brian asked me to run snort
with just that single rule and see what happened.  I did this and set
the -b flag and things worked as they should.  I sent Brian a tcpdump
file with logged packets and the snort rule file.  After this I went
back to running my primary snort with -b and can confirm that I get the
packets logged this way.

However I also use snortsnarf which requires the packet logs in the
default ascii format. So I rerun snort on the binary log file as
recomended in the snortsnarf documentation but the alerts are missing
entirely from the second run.



More information about the Snort-devel mailing list