[Snort-users] Odp: Re: Odp: Re: Odp: RE: React option doesn't work

Carter Waxman (cwaxman) cwaxman at ...589...
Fri Mar 27 17:08:40 EDT 2015


Thanks, this is an issue we are aware of. There should be a fix in the
next release.
 
On 3/27/15, 4:00 PM, "Robert Lasota" <wrkilu at ...3879...> wrote:

>Dnia Piątek, 27 Marca 2015 20:24 Carter Waxman (cwaxman)
><cwaxman at ...589...> napisał(a)
>> Can you check the connection with tcpdump from between Snort and the
>> client? Do you see a FIN for the http session.
>>  
>
>No, no FIN.
>
>I'm testing on client computer (10.192.1.91) address wp.pl/d.php and
>tcpdump on router shows:
>19:56:27.918239 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [S],
>seq 3915938431, win 14600, options [mss 1460,sackOK,TS val 344834610 ecr
>0,nop,wscale 7], length 0
>19:56:28.033642 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [S.],
>seq 2878190590, ack 3915938432, win 14600, options [mss
>1460,nop,nop,sackOK,nop,wscale 9], length 0
>19:56:28.033992 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [.],
>ack 1, win 115, length 0
>19:56:28.034072 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:28.034365 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [R.],
>seq 192, ack 1000, win 0, length 0
>19:56:28.034721 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [.],
>ack 1, win 115, length 0
>19:56:28.382534 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:28.731704 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:29.429504 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:30.823519 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:33.611530 IP 10.192.1.91.55603 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:33.611682 IP 212.77.100.101.http > 10.192.1.91.55603: Flags [R.],
>seq 1, ack 1000, win 0, length 0
>19:56:33.612422 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [S],
>seq 2069103655, win 14600, options [mss 1460,sackOK,TS val 344840304 ecr
>0,nop,wscale 7], length 0
>19:56:33.725269 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [S.],
>seq 2148213734, ack 2069103656, win 14600, options [mss
>1460,nop,nop,sackOK,nop,wscale 9], length 0
>19:56:33.725751 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [.],
>ack 1, win 115, length 0
>19:56:33.725843 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:33.726170 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [R.],
>seq 192, ack 1000, win 0, length 0
>19:56:33.726576 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [.],
>ack 1, win 115, length 0
>19:56:34.068555 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:34.411693 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:35.097507 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:36.467547 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:39.211591 IP 10.192.1.91.55604 > 212.77.100.101.http: Flags [P.],
>seq 1:1000, ack 1, win 115, length 999
>19:56:39.211695 IP 212.77.100.101.http > 10.192.1.91.55604: Flags [R.],
>seq 1, ack 1000, win 0, length 0
>
>thats all
>
>
>





More information about the Snort-users mailing list