[Snort-users] application layer data

John Sage jsage at ...2022...
Sat Mar 2 16:42:27 EST 2002


Just one thought:

Note that if the DgmLen is 40, there *is* no application data.

There is only the IP header for 20, and the TCP header for 20.

Since you've posted a RST, below, there aren't even going to be any
TCP options...


- John
-- 
Most people don't type their own logfiles;  but, what do I care?



On Sat, Mar 02, 2002 at 01:27:11PM -0600, Benjamin Collins wrote:
> I am running snort 1.8.3 on a RedHat 7.2 (2.4.10-7) machine.  I am
> trying to log all the data from TCP packets that match certain rules,
> but it's not working.  I know the packets are matching the rules,
> because the correct alerts are being generated, but the full packets are
> nowhere to be found.  In the config file, I am using the 'config
> dump_payload' directive, and in the command used to start snort I am
> using the -d option.  
> 
> Some information is being logged into directories named after ip
> addresses, but I don't think they are complete packets -- for example:
> 
> Here's an alert generated by a rule I wrote:
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/23-17:25:53.148618 10.1.1.6:4569 -> 172.16.1.12:23
> TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:40 DF
> *****R** Seq: 0xFA54EC12  Ack: 0x0  Win: 0x0  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> Yet in the /var/log/snort/10.1.1.6/ directory, there is no TCP:4569-23
> file, and even in the files that are in there, there is no application
> data; they look just like the above alert.
> 
> Anyone know what might be going on?





More information about the Snort-users mailing list