[Snort-users] Snort rule triggered an alert, but why?

C.Prickaerts at ...5294... C.Prickaerts at ...5294...
Sun Dec 8 08:58:02 EST 2002


Hi Chris,

Perhaps I have been crying wolf too soon...
I suddenly realized that I did not alter the default snaplength of TCPdump,
so that what triggered snort could be there, but I wasn't capturing it..

Duh.


Cheers,

Chris


-----Original Message-----
From: Chris Green [mailto:cmg at ...1935...] 
Sent: donderdag 5 december 2002 22:09
To: C.Prickaerts at ...5294...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort rule triggered an alert, but why?


C.Prickaerts at ...5294... writes:

> Hi Chris,
>
> But what was the attack ?
> The rule says it looks at repeated 43 content. But I failed to spot 
> them in the dumplog.
>

It was a packet that went by that didn't match your homenet variable but was
already alerted on. Please try to reproduce it with current sources.

Thanks
-- 
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-users mailing list