[Snort-sigs] payload problem

Michael Boman michael.boman at ...2564...
Mon Jun 21 02:58:02 EDT 2004


On Mon, 2004-06-21 at 17:35, Alexandru Balan wrote:
> [root at ...2558... root]# snort -qvdi br0 src host 80.86.100.173 and not port 22
> 06/21-12:29:14.208233 80.86.100.173:33435 -> 80.86.106.24:33
> TCP TTL:62 TOS:0x10 ID:1592 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xB0A36BC6  Ack: 0x0  Win: 0x16D0  TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 10710526 0 NOP WS: 0
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> 
> 
> How do i run snort in order to see the payload of every connection to a
> specific port ?
> I want to capture the traffic in order to write signatures based on
> content:"|...|".

This particular packet is a lone SYN packet, meaning that it is the
first packet in the 3-way handshake. This packet should not contain any
payload (which holds true in your example).

Personally I record the traffic of interest in pcap format (snort,
tcpdump, ethereal etc), and load it into ethereal to find the
interesting stuff.

Best regards
 Michael Boman

-- 
Michael Boman <michael.boman at ...2564...>
BOSECO Internet Security Solutions - http://www.boseco.com





More information about the Snort-sigs mailing list