[Snort-devel] Snort packet sequence numbers remain constant

Shankar Narayan keshi8086 at ...2499...
Thu Dec 6 18:55:47 EST 2012


Cool. Thanks!

Tried it out. Makes more sense now. However isn't this a bit non-intuitive?
The alert shows up for the same stream multiple times with no change in
properties. Is there a way to suppress this such that I can be alerted only
when the entire data has been received or transmitted? Like detecting an
EOF in addition to the existing rule to detect EXEs should throw up just a
single alert statement right?

This in turn leads me to another question:
Is there a nice way to extract files from packet capture in snort while its
configured inline? There are many data carving modules out there which
analyse on pcap dumps but I was wondering if it'd be a cool feature to have
within snort as an additional module.

Thanks,
--keshi


On Thu, Dec 6, 2012 at 10:19 AM, Russ Combs <rcombs at ...402...> wrote:

> Snort logs the packet or packets that triggered the alert, using the
> sequence and ack numbers therein.
>
> Although your content may match different raw packets, you may actually be
> alerting on the same stream5 reassembled packet.  Try using:
>
> stream5_global: show_rebuilt_packets
>
> and / or snort -A cmg to see where you are alerting.  If it still isn't
> clear, send a pcap and conf and we'll take a look.
>
> Russ
>
> On Wed, Dec 5, 2012 at 5:30 PM, Shankar Narayan <keshi8086 at ...2499...>wrote:
>
>> Hi,
>>
>> I am new to snort and I have been playing around with rules to be able to
>> detect exe files coming through the network.
>>
>> One of the things I noticed when I added my rules was that the sequence
>> number that showed up on all the alert logs were the same. The same was the
>> case for ACKs too.
>>
>> This seems odd as for subsequent packets of the exe download I get the
>> alert with the same tcp seq number and ack!
>>
>> How does the sequence number and ACK number thrown out by the alert logs
>> differ from the one inside the tcp header?
>>
>> Any pointers on what's exactly happening?
>>
>> Thanks,
>> - keshi
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>


-- 
*KESHY*
*Real Name: Krishnan Shankar Narayan

*
*"So let it be written, So let it be done!" *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20121206/48bad2fc/attachment.html>


More information about the Snort-devel mailing list