[Snort-users] application layer data

Matt Kettler mkettler at ...4108...
Sat Mar 2 15:23:10 EST 2002


The example packet you provided has no application layer data in it to be 
logged, so it is not surprising that there is no data logged :)

The packet is a tcp reset packet, the IP layer length is 20 bytes.. a 
minimal TCP header is 20 bytes long, leaving exactly 0 bytes available for 
this packet to carry application layer data.

Can you select a packet which does have application layer data in it for 
your example?

(fyi, pretty much all tcp stacks generate syn, synack, fin, finack and 
reset packets with no application data)

At 01:27 PM 3/2/2002 -0600, Benjamin Collins wrote:
>I am running snort 1.8.3 on a RedHat 7.2 (2.4.10-7) machine.  I am
>trying to log all the data from TCP packets that match certain rules,
>but it's not working.  I know the packets are matching the rules,
>because the correct alerts are being generated, but the full packets are
>nowhere to be found.  In the config file, I am using the 'config
>dump_payload' directive, and in the command used to start snort I am
>using the -d option.
>
>Some information is being logged into directories named after ip
>addresses, but I don't think they are complete packets -- for example:
>
>Here's an alert generated by a rule I wrote:
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>=+
>
>02/23-17:25:53.148618 10.1.1.6:4569 -> 172.16.1.12:23
>TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:40 DF
>*****R** Seq: 0xFA54EC12  Ack: 0x0  Win: 0x0  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>=+
>
>Yet in the /var/log/snort/10.1.1.6/ directory, there is no TCP:4569-23
>file, and even in the files that are in there, there is no application
>data; they look just like the above alert.
>
>Anyone know what might be going on?
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list