[Snort-sigs] payload problem
michael.boman at ...2564...
Mon Jun 21 02:58:02 EDT 2004
On Mon, 2004-06-21 at 17:35, Alexandru Balan wrote:
> [root at ...2558... root]# snort -qvdi br0 src host 188.8.131.52 and not port 22
> 06/21-12:29:14.208233 184.108.40.206:33435 -> 220.127.116.11:33
> TCP TTL:62 TOS:0x10 ID:1592 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xB0A36BC6 Ack: 0x0 Win: 0x16D0 TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 10710526 0 NOP WS: 0
> How do i run snort in order to see the payload of every connection to a
> specific port ?
> I want to capture the traffic in order to write signatures based on
This particular packet is a lone SYN packet, meaning that it is the
first packet in the 3-way handshake. This packet should not contain any
payload (which holds true in your example).
Personally I record the traffic of interest in pcap format (snort,
tcpdump, ethereal etc), and load it into ethereal to find the
Michael Boman <michael.boman at ...2564...>
BOSECO Internet Security Solutions - http://www.boseco.com
More information about the Snort-sigs