[Snort-devel] Content across multiple packets Not detected by Snort

Paul Tinsley jackhammer at ...2499...
Tue Apr 27 07:43:34 EDT 2004


Now I may be missing something but looking at your pcap file, there is
nothing in there to trigger the rule...  Here is the ascii content
between the hosts for the 3131 connection:
Wow, over a year since the laslability, take
           a loi trinity at ...2502... Welcome
.nort but are interested in a 
          * Major tagging updally supported version with
ent==============================


You are searching for Hello World, that pcap file shouldn't trigger an alert.

Thanks,
    Paul Tinsley


----- Original Message -----
From: Dennis George <easyeinfo at ...398...>
Date: Mon, 26 Apr 2004 22:42:23 -0700 (PDT)
Subject: Re: [Snort-devel] Content across multiple packets Not detected by Snort
To: snort-devel at lists.sourceforge.net
Cc: Martin Roesch <roesch at ...402...>




Hi Marty,
 

Here with this mail I am sending the pcaps of my traffic.... It
contains other traffic also. I am testing snort by creating a server
client program... My server is listening to port no 3131 and the
client is sending data to the same port (3131). So check for the 3131
port in the pcaps.

 
Thanks and regards

 
Dennis

Martin Roesch <roesch at ...402...> wrote:

No, I meant do you have binary packet capture files (pcaps) of the 
traffic that you're having trouble with? To generate them simply, run 
'tcpdump -w packets.pcap' and run your traffic, that should record the 
traffic and put it in a format that can be played back through Snort.

-Marty



		________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs




More information about the Snort-devel mailing list