AW: AW: AW: [Snort-inline-users] no tcp header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

thanks for all the answers,
fact is that i have no entries in the icmphdr, opt, tcphdr & udphdr =
tables
in the mysql database if i use
iptables -> snort_inline -> barnyard -> mysql

> -----Urspr=FCngliche Nachricht-----
> Von: Victor Julien [mailto:vi...@nk...]=20
> Gesendet: Mittwoch, 20. Oktober 2004 15:38
> An: Jochen Vogel
> Cc: sno...@li...;=20
> wil...@gm...
> Betreff: Re: AW: AW: [Snort-inline-users] no tcp header
>=20
>=20
> Hello Jochen,
>=20
> The TCP-header does look fine to me. The only difference i=20
> see is the TCP=20
> Options string. However the two alerts come from different=20
> connections, so=20
> i'm not surprised that they don't exactly match. Personally,=20
> I do get alerts=20
> which include the 'TCP Options'. If there are no TCP Options=20
> in the packet,=20
> the 'TCP Options' string is not printed at all. Maybe you can=20
> look trough=20
> your other alerts to see if you have the 'TCP Options' there.
>=20
> Regards,
> Victor
>=20
> On Wednesday 20 October 2004 10:56, Jochen Vogel wrote:
> > if i correlate the IDS log with the IPS log i can see the=20
> different header
> > structure.
> > i think that barnyard have problems to parse it correctly?
> > and see that the point "TCP Options" is missing.
> >
> >
> > ----------------------------------------------------------------
> > IPS
> >
> > [**] WEB-MISC /etc/passwd [**]
> > 10/15-09:41:46.075405 195.245.50.253:16365 ->
> > 195.245.50.252:80 TCP TTL:127
> > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> >
> > -------------------------------------------------------------
> > IDS
> >
> > [**] WEB-MISC /etc/passwd [**]
> > 10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
> > len:0x214
> > 80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 =
ID:48351
> > IpLen:20 DgmLen:518 DF
> > ***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
> > TCP Options (3) =3D> NOP NOP TS: 3183946206 504897406
> > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
> > 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
> > 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
> > 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
> > 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IT Product Guide on=20
> ITManagersJournal
> > Use IT products in your business? Tell us what you think of=20
> them. Give us
> > Your Opinions, Get Free ThinkGeek Gift Certificates! Click=20
> to find out more
> > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>=20