[Snort-devel] Snort packet sequence numbers remain constant

Russ Combs rcombs at ...402...
Thu Dec 6 13:19:51 EST 2012


Snort logs the packet or packets that triggered the alert, using the
sequence and ack numbers therein.

Although your content may match different raw packets, you may actually be
alerting on the same stream5 reassembled packet.  Try using:

stream5_global: show_rebuilt_packets

and / or snort -A cmg to see where you are alerting.  If it still isn't
clear, send a pcap and conf and we'll take a look.

Russ

On Wed, Dec 5, 2012 at 5:30 PM, Shankar Narayan <keshi8086 at ...2499...> wrote:

> Hi,
>
> I am new to snort and I have been playing around with rules to be able to
> detect exe files coming through the network.
>
> One of the things I noticed when I added my rules was that the sequence
> number that showed up on all the alert logs were the same. The same was the
> case for ACKs too.
>
> This seems odd as for subsequent packets of the exe download I get the
> alert with the same tcp seq number and ack!
>
> How does the sequence number and ACK number thrown out by the alert logs
> differ from the one inside the tcp header?
>
> Any pointers on what's exactly happening?
>
> Thanks,
> - keshi
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20121206/abf6ece9/attachment.html>


More information about the Snort-devel mailing list