[Snort-devel] Content across multiple packets Not detected by Snort

Dennis George easyeinfo at ...398...
Thu Apr 29 03:54:05 EDT 2004

Hello Marty,
Sorry I didn't able communicate with you guys for so long... actually I had to go for an urgent work out of station. I am extremly sorry for that....... So I didn't able to send you my proper pcap dump......
Last time the tcp dump I send is also working with me.... sorry for sending that... Actually I send the wrong one...... 
This tcp dump I am sending is the one which is causing the problem..... In this my keyword trinity at ...2502... is in splitted in two packets.....i.e.
pkt one ::: ....data... trinit
pkt two ::: y at ...2502... data ....
That's why snort is not detecting the alert....
Thanks and regards
Dennis George

Martin Roesch <roesch at ...402...> wrote: 
This rule picks it up on my machine:

alert tcp any any -> any 3131 (content: "trinity at ...2502..."; msg: 
"Trinity detected";)

Here's the command line I used:

snort -c trinity.rule -r ~/Desktop/packets.pcap -l ./log -A console -N 
-k none

Try that and let me know how it works.


On Apr 27, 2004, at 7:42 AM, Dennis George wrote:

> Oh I am extremly Sorry for that... But in this test case I am 
> searching for trinity at ...2501...
> Sorry I didn't mention that......
> Dennis
> Paul Tinsley wrote:
> Now I may be missing something but looking at your pcap file, there is
> nothing in there to trigger the rule... Here is the ascii content
> between the hosts for the 3131 connection:
> Wow, over a year since the laslability, take
> a loi trinity at ...2502... Welcome
> .nort but are interested in a
> * Major tagging updally supported version with
> ent==============================
> You are searching for Hello World, that pcap file shouldn't trigger an 
> alert.
> Thanks,
> Paul Tinsley
> ----- Original Message -----
> From: Dennis George
> Date: Mon, 26 Apr 2004 22:42:23 -0700 (PDT)
> Subject: Re: [Snort-devel] Content across multiple packets Not 
> detected by Snort
> To: snort-devel at lists.sourceforge.net
> Cc: Martin Roesch
> Hi Marty,
> Here with this mail I am sending the pcaps of my traffic.... It
> contains other traffic also. I am testing snort by creating a server
> client program... My server is listening to port no 3131 and the
> client is sending data to the same port (3131). So check for the 3131
> port in the pcaps.
> Thanks and regards
> Dennis
> Martin Roesch wrote:
> No, I meant do you have binary packet capture files (pcaps) of the
> traffic that you're having trouble with? To generate them simply, run
> 'tcpdump -w packets.pcap' and run your traffic, that should record the
> traffic and put it in a format that can be played back through Snort.
> -Marty
> ________________________________
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040429/d3780c8a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pcapdump.log
Type: application/octet-stream
Size: 121588 bytes
Desc: pcapdump.log
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040429/d3780c8a/attachment.obj>

More information about the Snort-devel mailing list