Re: AW: AW: [Snort-inline-users] no tcp header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello Jochen,

The TCP-header does look fine to me. The only difference i see is the TCP 
Options string. However the two alerts come from different connections, so 
i'm not surprised that they don't exactly match. Personally, I do get alerts 
which include the 'TCP Options'. If there are no TCP Options in the packet, 
the 'TCP Options' string is not printed at all. Maybe you can look trough 
your other alerts to see if you have the 'TCP Options' there.

Regards,
Victor

On Wednesday 20 October 2004 10:56, Jochen Vogel wrote:
> if i correlate the IDS log with the IPS log i can see the different header
> structure.
> i think that barnyard have problems to parse it correctly?
> and see that the point "TCP Options" is missing.
>
>
> ----------------------------------------------------------------
> IPS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/15-09:41:46.075405 195.245.50.253:16365 ->
> 195.245.50.252:80 TCP TTL:127
> TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
>
> -------------------------------------------------------------
> IDS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
> len:0x214
> 80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 ID:48351
> IpLen:20 DgmLen:518 DF
> ***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 3183946206 504897406
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
> 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
> 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
> 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
> 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users