[Oisf-users] How to alert for a single TCP packet?
Lucas
lama2 at cin.ufpe.br
Tue Nov 26 04:26:42 UTC 2019
Oh, i see. Thank you for the explanation.
And yes, i'm using the pcap and the rule i sent you.
I'm sorry, how can i find the "pcap snippet from the alert"?
This is the alert-debug log:
+================
TIME: 10/13/2019-17:40:38.739730
PKT SRC: stream (flow timeout)
SRC IP: 1.2.3.4
DST IP: 192.168.1.108
PROTO: 6
SRC PORT: 33744
DST PORT: 80
TCP SEQ: 1004108996
TCP ACK: 1324967473
FLOW: to_server: TRUE, to_client: FALSE
FLOW Start TS: 10/13/2019-17:40:38.739730
FLOW PKTS TODST: 1
FLOW PKTS TOSRC: 0
FLOW Total Bytes: 249
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: FALSE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 40
PACKET:
0000 45 00 00 28 00 00 00 00 40 06 B4 B6 01 02 03 04 E..(.... @.......
0010 C0 A8 01 6C 83 D0 00 50 3B D9 7C C4 4E F9 66 31 ...l...P ;.|.N.f1
0020 50 10 0A 00 ED D1 00 00 P.......
ALERT CNT: 1
ALERT MSG [00]: Testing rule 0
ALERT GID [00]: 1
ALERT SID [00]: 1099019
ALERT REV [00]: 0
ALERT CLASS [00]: <none>
ALERT PRIO [00]: 3
ALERT FOUND IN [00]: STATE
ALERT IN TX [00]: 0
More information about the Oisf-users
mailing list