[Snort-users] Re: [Snort-devel] Re: What wins? TCP headers or packet contents?

John Sage jsage at ...2022...
Wed Sep 11 11:53:06 EDT 2002


On Wed, Sep 11, 2002 at 11:17:13AM -0700, Erek Adams wrote:
> [added snort-dev to the cc list]
> 
> On Tue, 10 Sep 2002, John Sage wrote:
> 
> > Let me bring the question up to the top:

<snip-en-mass>

Another odd thing: when I replay the original binary log file that
contains these packets, other detects in that binary log cause the
alert-based directory structure described as:

"...If you just specify a plain "-l" switch, you may notice that Snort
sometimes uses the address of the remote computer the directory in
which it places packets..."

but the source IP for the packets in question is not one of the
directories created, even though the packets fire the rstatd rule:

<snip>
drwxr-xr-x    7 jsage    jsage        4096 Sep 10 21:28 .
drwxr-xr-x  494 jsage    jsage        8192 Sep  2 08:12 ..
drwx---r-x    2 jsage    jsage        4096 Sep 10 21:28 12.122.253.237
drwx---r-x    2 jsage    jsage        4096 Sep 10 21:28 12.241.44.94
drwx---r-x    2 jsage    jsage        4096 Sep 10 21:27 12.82.131.145
drwx---r-x    2 jsage    jsage        4096 Sep 10 21:27 61.177.222.139
drwx---r-x    2 jsage    jsage        4096 Sep 10 21:28 80.129.95.178
-rw----r-x    1 jsage    jsage      100561 Sep 10 21:28 alert187check.full
<snip>

The command line on replay is (a .bashrc alias):

alias snort187check='snort187 -dvX -l . -c \
/usr/local/snort-1.8.7/snort187check.conf -r '

where snort187.conf is identical to my firewall's production
snort187.conf, with the exception that it (..187check..) looks at
*all* rules, and I set $HOME_NET specifically to that in the log file
I'm replaying.

The packets in question *are* found in the alert187check.full file...


Cool, huh?


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list