[Snort-devel] Snort packet sequence numbers remain constant
keshi8086 at ...2499...
Thu Dec 6 18:55:47 EST 2012
Tried it out. Makes more sense now. However isn't this a bit non-intuitive?
The alert shows up for the same stream multiple times with no change in
properties. Is there a way to suppress this such that I can be alerted only
when the entire data has been received or transmitted? Like detecting an
EOF in addition to the existing rule to detect EXEs should throw up just a
single alert statement right?
This in turn leads me to another question:
Is there a nice way to extract files from packet capture in snort while its
configured inline? There are many data carving modules out there which
analyse on pcap dumps but I was wondering if it'd be a cool feature to have
within snort as an additional module.
On Thu, Dec 6, 2012 at 10:19 AM, Russ Combs <rcombs at ...402...> wrote:
> Snort logs the packet or packets that triggered the alert, using the
> sequence and ack numbers therein.
> Although your content may match different raw packets, you may actually be
> alerting on the same stream5 reassembled packet. Try using:
> stream5_global: show_rebuilt_packets
> and / or snort -A cmg to see where you are alerting. If it still isn't
> clear, send a pcap and conf and we'll take a look.
> On Wed, Dec 5, 2012 at 5:30 PM, Shankar Narayan <keshi8086 at ...2499...>wrote:
>> I am new to snort and I have been playing around with rules to be able to
>> detect exe files coming through the network.
>> One of the things I noticed when I added my rules was that the sequence
>> number that showed up on all the alert logs were the same. The same was the
>> case for ACKs too.
>> This seems odd as for subsequent packets of the exe download I get the
>> alert with the same tcp seq number and ack!
>> How does the sequence number and ACK number thrown out by the alert logs
>> differ from the one inside the tcp header?
>> Any pointers on what's exactly happening?
>> - keshi
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> Please visit http://blog.snort.org for the latest news about Snort!
*Real Name: Krishnan Shankar Narayan
*"So let it be written, So let it be done!" *
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel