[Snort-devel] Snort packet sequence numbers remain constant

Shankar Narayan keshi8086 at ...2499...
Wed Dec 5 17:30:24 EST 2012


Hi,

I am new to snort and I have been playing around with rules to be able to
detect exe files coming through the network.

One of the things I noticed when I added my rules was that the sequence
number that showed up on all the alert logs were the same. The same was the
case for ACKs too.

This seems odd as for subsequent packets of the exe download I get the
alert with the same tcp seq number and ack!

How does the sequence number and ACK number thrown out by the alert logs
differ from the one inside the tcp header?

Any pointers on what's exactly happening?

Thanks,
- keshi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20121205/b9d4f278/attachment.html>


More information about the Snort-devel mailing list