[Snort-users] Double Logging?

Bradley, Paul paulb at ...4318...
Mon Dec 30 06:04:02 EST 2002


After going through a rather large event this morning, I noticed that when
SNORT (v. 1.9.0 on RH 7.2) logged the packet payload to a binary file, it
"double logged" the events.  One entry contained the absolute TCP Sequence
number and the next event contained the relative sequence number.  This was
a rather large event - 45000+ hits, but turns out to be over 90000+ hits due
to the double logging of packets.  Any ideas what might have caused this?


Thanks,

Paul


Sample Entry:

02:00:30.620000 168.49.233.2.4729 > MY.NET.131.8.80: P [tcp sum ok]
1604735253:1604735318(65) ack 2153141295 win 8760 (DF) (ttl 107, id 17065,
len 105)
0x0000   4500 0069 42a9 4000 6b06 191b a831 e902        E..iB. at ...7848...
0x0010   xxyy 8308 1279 0050 5fa6 5115 8056 542f        .....y.P_.Q..VT/
0x0020   5018 2238 8bb0 0000 4845 4144 202f 4d53        P."8....HEAD./MS
0x0030   4144 432f 726f 6f74 2e65 7865 3f2f 632b        ADC/root.exe?/c+
0x0040   6469 722b 633a 5c20 4854 5450 2f31 2e30        dir+c:\.HTTP/1.0
0x0050   0d0a 486f 7374 3a20 3135 392e 3134 322e        ..Host:.MY.NET.
0x0060   3133 312e 380d 0a0d 0a                         131.8....

02:00:30.620000 168.49.233.2.4729 > MY.NET.131.8.80: P [tcp sum ok] 0:65(65)
ack 1 win 8760 (DF) (ttl 107, id 17065, len 105)
0x0000   4500 0069 42a9 4000 6b06 191b a831 e902        E..iB. at ...7848...
0x0010   xxyy  8308 1279 0050 5fa6 5115 8056 542f        .....y.P_.Q..VT/
0x0020   5018 2238 8bb0 0000 4845 4144 202f 4d53        P."8....HEAD./MS
0x0030   4144 432f 726f 6f74 2e65 7865 3f2f 632b        ADC/root.exe?/c+
0x0040   6469 722b 633a 5c20 4854 5450 2f31 2e30        dir+c:\.HTTP/1.0
0x0050   0d0a 486f 7374 3a20 3135 392e 3134 322e        ..Host:.MY.NET.
0x0060   3133 312e 380d 0a0d 0a                         131.8....




More information about the Snort-users mailing list