After going through a rather large event this morning, I noticed that when SNORT (v. 1.9.0 on RH 7.2) logged the packet payload to a binary file, it "double logged" the events. One entry contained the absolute TCP Sequence number and the next event contained the relative sequence number. This was a rather large event - 45000+ hits, but turns out to be over 90000+ hits due to the double logging of packets. Any ideas what might have caused this? Thanks, Paul Sample Entry: 02:00:30.620000 168.49.233.2.4729 > MY.NET.131.8.80: P [tcp sum ok] 1604735253:1604735318(65) ack 2153141295 win 8760 (DF) (ttl 107, id 17065, len 105) 0x0000 4500 0069 42a9 4000 6b06 191b a831 e902 E..iB.@.k....1.. 0x0010 xxyy 8308 1279 0050 5fa6 5115 8056 542f .....y.P_.Q..VT/ 0x0020 5018 2238 8bb0 0000 4845 4144 202f 4d53 P."8....HEAD./MS 0x0030 4144 432f 726f 6f74 2e65 7865 3f2f 632b ADC/root.exe?/c+ 0x0040 6469 722b 633a 5c20 4854 5450 2f31 2e30 dir+c:\.HTTP/1.0 0x0050 0d0a 486f 7374 3a20 3135 392e 3134 322e ..Host:.MY.NET. 0x0060 3133 312e 380d 0a0d 0a 131.8.... 02:00:30.620000 168.49.233.2.4729 > MY.NET.131.8.80: P [tcp sum ok] 0:65(65) ack 1 win 8760 (DF) (ttl 107, id 17065, len 105) 0x0000 4500 0069 42a9 4000 6b06 191b a831 e902 E..iB.@.k....1.. 0x0010 xxyy 8308 1279 0050 5fa6 5115 8056 542f .....y.P_.Q..VT/ 0x0020 5018 2238 8bb0 0000 4845 4144 202f 4d53 P."8....HEAD./MS 0x0030 4144 432f 726f 6f74 2e65 7865 3f2f 632b ADC/root.exe?/c+ 0x0040 6469 722b 633a 5c20 4854 5450 2f31 2e30 dir+c:\.HTTP/1.0 0x0050 0d0a 486f 7374 3a20 3135 392e 3134 322e ..Host:.MY.NET. 0x0060 3133 312e 380d 0a0d 0a 131.8.... ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users