[Snort-devel] Oddities in capturing rules

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue Jan 7 08:22:04 EST 2003

When trying to test a rule with snort 2 on one of our development
sensors... This happened.

Alert tcp any any -> any 445 (msg:"Test 1"; flow:established;

204.124.x.x:443 -> 192.168.x.x:49995 
Content of data returned:

es/homebar.gif HTTP/1.1
Accept: */*
Referer: http://some.site/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 23 Aug 2002 19:39:17 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)

This rule hit at exactly the moment we were telnetting to port 445 on a from a  You'll notice that neither the source
nor the dest IPs or ports are right.  On top of that, we also appear to
have had our data jumbled with some other data... (a request to our
intranet)....jumbled with more data (a request to an external https

All of the tcp info and ip info appear to come from the 204.124.x.x ->
192.168.x.x connection, and the data appears to come from two different,
completely unrelated connections.

So far this is not repeatable...

More information about the Snort-devel mailing list