[Snort-users] application layer data
mkettler at ...4108...
Sat Mar 2 15:23:10 EST 2002
The example packet you provided has no application layer data in it to be
logged, so it is not surprising that there is no data logged :)
The packet is a tcp reset packet, the IP layer length is 20 bytes.. a
minimal TCP header is 20 bytes long, leaving exactly 0 bytes available for
this packet to carry application layer data.
Can you select a packet which does have application layer data in it for
(fyi, pretty much all tcp stacks generate syn, synack, fin, finack and
reset packets with no application data)
At 01:27 PM 3/2/2002 -0600, Benjamin Collins wrote:
>I am running snort 1.8.3 on a RedHat 7.2 (2.4.10-7) machine. I am
>trying to log all the data from TCP packets that match certain rules,
>but it's not working. I know the packets are matching the rules,
>because the correct alerts are being generated, but the full packets are
>nowhere to be found. In the config file, I am using the 'config
>dump_payload' directive, and in the command used to start snort I am
>using the -d option.
>Some information is being logged into directories named after ip
>addresses, but I don't think they are complete packets -- for example:
>Here's an alert generated by a rule I wrote:
>02/23-17:25:53.148618 10.1.1.6:4569 -> 172.16.1.12:23
>TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:40 DF
>*****R** Seq: 0xFA54EC12 Ack: 0x0 Win: 0x0 TcpLen: 20
>Yet in the /var/log/snort/10.1.1.6/ directory, there is no TCP:4569-23
>file, and even in the files that are in there, there is no application
>data; they look just like the above alert.
>Anyone know what might be going on?
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users