[Snort-users] Content Match

Al Lewis (allewi) allewi at ...589...
Sun Feb 1 18:01:11 EST 2015

Based on the pcap you provided the content shows up in both packets. It looks like snort saw the retransmission and alerted on the duplicate.

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Mark Greenman [mailto:mark.greenman.014 at ...11827...]
Sent: Saturday, January 31, 2015 9:51 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Content Match

Hi. Do you know why snort creates two alerts for one content match?
I am using the following rule for content match:

alert tcp any any -> any any (msg:"Hit!"; content:"Tree"; sid:1000001;)
The file which is requeste using HTTP and the logs created by snort in a pcap file are attached to this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150201/29e6d9f6/attachment.html>

More information about the Snort-users mailing list