Re: AW: AW: [Snort-inline-users] no tcp header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

The only difference is the TCP Options, however these packets are from to
and from differenct sources and destinations.  The communication logged by
the IPS was probably between machines not using TCP Options at all and
vice versa for the IDS.

> if i correlate the IDS log with the IPS log i can see the different header
> structure.
> i think that barnyard have problems to parse it correctly?
>
>
> ----------------------------------------------------------------
> IPS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/15-09:41:46.075405 195.245.50.253:16365 ->
> 195.245.50.252:80 TCP TTL:127
> TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
>
> -------------------------------------------------------------
> IDS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
> len:0x214
> 80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 ID:48351
> IpLen:20 DgmLen:518 DF
> ***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 3183946206 504897406
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
> 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
> 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
> 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
> 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>