|
|
RE: Question on snorting a pcap file: msg#00131security.ids.snort.bleedingsnort
Did you take the pcap with -s0? I wonder if the packets were truncated. matt -----Original Message----- From: "Jack Pepper" <pepperjack-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx> To: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx Sent: 1/19/07 10:58 AM Subject: [Bleeding-sigs] Question on snorting a pcap file I have a question: I have a sig that works over the network but doesn't work when I do "snort -r". the content statement gets a hit if the string occurs in the first 100 bytes or so. But if it's way down in the payload it never hits. Only on the "-r" stuff. Same thing over the network catches it every time. You ever see that before? jp ------------------------------------------------- Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx _______________________________________________ Bleeding-sigs mailing list Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Question on snorting a pcap file: 00131, Jack Pepper |
|---|---|
| Next by Date: | Bleeding Edge Threats Daily Signature Changes: 00131, bleeding-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt |
| Previous by Thread: | Question on snorting a pcap filei: 00131, Jack Pepper |
| Next by Thread: | Stormy P2P bot Sigs: 00131, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |