[Snort-users] Re: What wins? TCP headers or packet contents?

Erek Adams erek at ...577...
Wed Sep 11 11:19:04 EDT 2002


[added snort-dev to the cc list]

On Tue, 10 Sep 2002, John Sage wrote:

> Let me bring the question up to the top:
>
> > So the question for the snort list is:
>
> > What wins:
>
> > TCP header stuff: i.e. the destination port,
>
> > or,
>
> > Packet contents stuff: i.e. a hex series within the payload of a
> > packet, but with no match on destination port?
>
> <snip>
>
>
> Executive summary:
>
> Twice (once real-time, once on replay against a binary log file) I
> have packets matching an rpc.rules by content (a hex sequence) but not
> by the destination port stated in the rule.


[...snip...]

Damn you John.  I haven't had enough coffee yet for questions like this.  ;-)

Unless I'm wrong, I think the answer is here:

	http://www.snort.org/docs/faq.html#3.13



More information about the Snort-users mailing list