[Snort-users] Odp: Re: Odp: Re: Odp: RE: React option doesn't work

Robert Lasota wrkilu at ...3879...
Fri Mar 27 16:00:15 EDT 2015


Dnia Piątek, 27 Marca 2015 20:24 Carter Waxman (cwaxman) <cwaxman at ...589...> napisał(a)
> Can you check the connection with tcpdump from between Snort and the
> client? Do you see a FIN for the http session.
>  

No, no FIN.

I'm testing on client computer (10.192.1.91) address wp.pl/d.php and tcpdump on router shows:
19:56:27.918239 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [S], seq 3915938431, win 14600, options [mss 1460,sackOK,TS val 344834610 ecr 0,nop,wscale 7], length 0
19:56:28.033642 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [S.], seq 2878190590, ack 3915938432, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
19:56:28.033992 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [.], ack 1, win 115, length 0
19:56:28.034072 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:28.034365 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [R.], seq 192, ack 1000, win 0, length 0
19:56:28.034721 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [.], ack 1, win 115, length 0
19:56:28.382534 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:28.731704 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:29.429504 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:30.823519 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:33.611530 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:33.611682 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [R.], seq 1, ack 1000, win 0, length 0
19:56:33.612422 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [S], seq 2069103655, win 14600, options [mss 1460,sackOK,TS val 344840304 ecr 0,nop,wscale 7], length 0
19:56:33.725269 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [S.], seq 2148213734, ack 2069103656, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
19:56:33.725751 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [.], ack 1, win 115, length 0
19:56:33.725843 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:33.726170 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [R.], seq 192, ack 1000, win 0, length 0
19:56:33.726576 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [.], ack 1, win 115, length 0
19:56:34.068555 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:34.411693 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:35.097507 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:36.467547 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:39.211591 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.], seq 1:1000, ack 1, win 115, length 999
19:56:39.211695 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [R.], seq 1, ack 1000, win 0, length 0

thats all







More information about the Snort-users mailing list