Snort mailing list archives
Re: [Snort-devel] Re: What wins? TCP headers or packet contents?
From: John Sage <jsage () finchhaven com>
Date: Wed, 11 Sep 2002 11:39:18 -0700
On Wed, Sep 11, 2002 at 11:17:13AM -0700, Erek Adams wrote:
[added snort-dev to the cc list] On Tue, 10 Sep 2002, John Sage wrote:Let me bring the question up to the top:So the question for the snort list is:What wins:TCP header stuff: i.e. the destination port,or,Packet contents stuff: i.e. a hex series within the payload of a packet, but with no match on destination port?<snip> Executive summary: Twice (once real-time, once on replay against a binary log file) I have packets matching an rpc.rules by content (a hex sequence) but not by the destination port stated in the rule.[...snip...] Damn you John. I haven't had enough coffee yet for questions like this. ;-)
Thank you, thank you, always eager to help :-)
Unless I'm wrong, I think the answer is here:
http://www.snort.org/docs/faq.html#3.13
That's what I thought. And it would stand to reason that TCP/IP headers would be considered before content..
From what I read and see in the illustration, the headers start the RTN, and then the content and other things are placed in the OTN. That seems to imply that the headers would 'win' over the content.
And since the dest port didn't match, one would expect the packet to not fire off an alert..
Everything you show seems to say that's not the case. Out of curiosity, do you still have the pcap of that packet?
Yes. Do you want it binary, ASCII, or (hmm.. what else is there?) (Version numbers of the various bits and pieces are in my original post) - John -- "Obviously, we do not want to leave zombies around." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What wins? TCP headers or packet contents? John Sage (Sep 10)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: What wins? TCP headers or packet contents? Chris Green (Sep 12)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 14)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)