Snort mailing list archives
Hardcore -r question
From: John Sage <jsage () finchhaven com>
Date: Mon, 11 Jun 2001 18:45:57 -0700
I'm playing with using the -r switch and tcpdump syntax on a binary log file, and I'm having one heckuva time understanding why this command line:
snort -dv -r snort-0609 () 0724 log 'tcp[3:1] == 111 ' returns what it does.I expect it to return packets with destination port 111, which it does, but WTF? it returns five other packets with a value of 62319 as the destination port, too.
This says, I think, go into the tcp header 3 bytes (first byte's zero,) and a one byte offset into that, and look at it -- and if it's "111" then true and show me the packet.
It does exactly the same thing if I say: snort -dv -r snort-0609 () 0724 log 'tcp[3] == 111 '(Of course, if I just chill out and say "snort -dv -r snort-0609 () 0724 log dst port 111" it works just fine...)
Anyway, what am I missing? - John snort -dv -r snort-0609 () 0724 log 'tcp[3:1] == 111 ' --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "snort-0609 () 0724 log" file. snaplen = 1514 --== Initialization Complete ==-- 06/09-07:55:39.985460 208.178.109.50:80 -> 12.82.128.242:62319 TCP TTL:53 TOS:0x0 ID:51688 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0xE3BDFC2B Ack: 0xE4569CFB Win: 0x3EBC TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 282142772 430770634 NOP TCP Options => WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-07:55:40.275486 208.178.109.50:80 -> 12.82.128.242:62319 TCP TTL:53 TOS:0x0 ID:51694 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xE3BDFC2C Ack: 0xE4569F69 Win: 0x3C4E TcpLen: 32 TCP Options (3) => NOP NOP TS: 282142802 430770652 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-07:55:40.295450 208.178.109.50:80 -> 12.82.128.242:62319 TCP TTL:53 TOS:0x0 ID:51696 IpLen:20 DgmLen:52 DF ***A***F Seq: 0xE3BDFE28 Ack: 0xE4569F69 Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: 282142802 430770652 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-07:55:40.415514 208.178.109.50:80 -> 12.82.128.242:62319 TCP TTL:53 TOS:0x0 ID:51695 IpLen:20 DgmLen:560 DF ***AP*** Seq: 0xE3BDFC2C Ack: 0xE4569F69 Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: 282142802 430770652 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 44 61 74 65 3A 20 53 61 74 2C 20 30 39 20 4A .Date: Sat, 09 J 75 6E 20 32 30 30 31 20 31 34 3A 35 35 3A 33 39 un 2001 14:55:39 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap 61 63 68 65 2F 31 2E 33 2E 31 32 20 28 55 6E 69 ache/1.3.12 (Uni 78 29 20 50 48 50 2F 33 2E 30 2E 31 36 20 6D 6F x) PHP/3.0.16 mo <snip> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-07:55:40.595464 208.178.109.50:80 -> 12.82.128.242:62319 TCP TTL:53 TOS:0x0 ID:51701 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xE3BDFE29 Ack: 0xE4569F6A Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: 282142833 430770695 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-11:42:15.844824 202.101.230.112:35932 -> 12.82.128.242:111 TCP TTL:237 TOS:0x0 ID:57191 IpLen:20 DgmLen:44 DF ******S* Seq: 0x42F039C4 Ack: 0x0 Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-11:42:18.875184 202.101.230.112:35932 -> 12.82.128.242:111 TCP TTL:237 TOS:0x0 ID:57192 IpLen:20 DgmLen:40 DF *****R** Seq: 0x42F039C5 Ack: 0x0 Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-15:08:11.145983 207.249.68.130:49620 -> 12.82.128.242:111 TCP TTL:241 TOS:0x0 ID:41055 IpLen:20 DgmLen:44 DF ******S* Seq: 0x4A27B537 Ack: 0x0 Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/09-15:08:14.526320 207.249.68.130:49620 -> 12.82.128.242:111 TCP TTL:241 TOS:0x0 ID:41056 IpLen:20 DgmLen:40 DF *****R** Seq: 0x4A27B538 Ack: 0x0 Win: 0x2238 TcpLen: 20 =============================================================================== Snort processed 9 packets. Breakdown by protocol: Action Stats: TCP: 9 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 =============================================================================== _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hardcore -r question John Sage (Jun 11)
- Re: Hardcore -r question Martin Roesch (Jun 11)
- Re: Hardcore -r question John Sage (Jun 11)
- <Possible follow-ups>
- RE: Hardcore -r question Mark Evans (Jun 12)
- Re: Hardcore -r question John Sage (Jun 12)
- Re: Hardcore -r question Martin Roesch (Jun 11)