[Snort-devel] Re: What wins? TCP headers or packet contents?

Erek Adams erek at ...105...
Wed Sep 11 11:19:02 EDT 2002

[added snort-dev to the cc list]

On Tue, 10 Sep 2002, John Sage wrote:

> Let me bring the question up to the top:
> > So the question for the snort list is:
> > What wins:
> > TCP header stuff: i.e. the destination port,
> > or,
> > Packet contents stuff: i.e. a hex series within the payload of a
> > packet, but with no match on destination port?
> <snip>
> Executive summary:
> Twice (once real-time, once on replay against a binary log file) I
> have packets matching an rpc.rules by content (a hex sequence) but not
> by the destination port stated in the rule.


Damn you John.  I haven't had enough coffee yet for questions like this.  ;-)

Unless I'm wrong, I think the answer is here:


More information about the Snort-devel mailing list