[Snort-devel] Re: What wins? TCP headers or packet contents?
erek at ...105...
Wed Sep 11 11:19:02 EDT 2002
[added snort-dev to the cc list]
On Tue, 10 Sep 2002, John Sage wrote:
> Let me bring the question up to the top:
> > So the question for the snort list is:
> > What wins:
> > TCP header stuff: i.e. the destination port,
> > or,
> > Packet contents stuff: i.e. a hex series within the payload of a
> > packet, but with no match on destination port?
> Executive summary:
> Twice (once real-time, once on replay against a binary log file) I
> have packets matching an rpc.rules by content (a hex sequence) but not
> by the destination port stated in the rule.
Damn you John. I haven't had enough coffee yet for questions like this. ;-)
Unless I'm wrong, I think the answer is here:
More information about the Snort-devel