OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Kettler (mkettlerevi-inc.com)
Date: Sat Mar 02 2002 - 17:24:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The example packet you provided has no application layer data in it to be
    logged, so it is not surprising that there is no data logged :)

    The packet is a tcp reset packet, the IP layer length is 20 bytes.. a
    minimal TCP header is 20 bytes long, leaving exactly 0 bytes available for
    this packet to carry application layer data.

    Can you select a packet which does have application layer data in it for
    your example?

    (fyi, pretty much all tcp stacks generate syn, synack, fin, finack and
    reset packets with no application data)

    At 01:27 PM 3/2/2002 -0600, Benjamin Collins wrote:
    >I am running snort 1.8.3 on a RedHat 7.2 (2.4.10-7) machine. I am
    >trying to log all the data from TCP packets that match certain rules,
    >but it's not working. I know the packets are matching the rules,
    >because the correct alerts are being generated, but the full packets are
    >nowhere to be found. In the config file, I am using the 'config
    >dump_payload' directive, and in the command used to start snort I am
    >using the -d option.
    >
    >Some information is being logged into directories named after ip
    >addresses, but I don't think they are complete packets -- for example:
    >
    >Here's an alert generated by a rule I wrote:
    >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >=+
    >
    >02/23-17:25:53.148618 10.1.1.6:4569 -> 172.16.1.12:23
    >TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:40 DF
    >*****R** Seq: 0xFA54EC12 Ack: 0x0 Win: 0x0 TcpLen: 20
    >
    >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >=+
    >
    >Yet in the /var/log/snort/10.1.1.6/ directory, there is no TCP:4569-23
    >file, and even in the files that are in there, there is no application
    >data; they look just like the above alert.
    >
    >Anyone know what might be going on?
    >
    >
    >_______________________________________________
    >Snort-users mailing list
    >Snort-userslists.sourceforge.net
    >Go to this URL to change user options or unsubscribe:
    >https://lists.sourceforge.net/lists/listinfo/snort-users
    >Snort-users list archive:
    >http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users