Re: Snort-1.9.0 not generating required alerts

[archana rao <archuatdavis () yahoo com>]

Hi,
   I followed the steps you had mentioned, and now I
have discovered another problem.Snort-1.9.0 is not
accepting the -s(log alerts to syslog) command line
option.It gives me either a "fatal error, quitting"
error message, or prints out the "USAGE:...."
message.I noticed that I was getting the alerts in
Snort-1.8.7 when I was using the -s option and so,
when I tried doing the same thing, Snort-1.9.0 doesn't
seem to be able to recognize the option.Any ideas?
Thanks in advance,
Archana


--- Erek Adams <erek () theadamsfamily net> wrote:
> On Tue, 15 Oct 2002, archana rao wrote:
>
> > Thanks for the reply.
>
> No problem.  :)
>
> >  The alert that I expect to be generated has
> sid:981.
>
> Ok, lets have a look at the rules:
>
> 1.8.7
>  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> $HTTP_PORTS (msg:"WEB-IIS File
>  permission canonicalization";
> uricontent:"/scripts/..%c0%af../"; flags:A+;
>  nocase; classtype:web-application-attack; sid:981; 
> rev:5;)
>
> 1.9.0
>  web-iis.rules:alert tcp $EXTERNAL_NET any ->
> $HTTP_SERVERS $HTTP_PORTS
>  (msg:"WEB-IIS File permission canonicalization";
>  uricontent:"/scripts/..%c0%af../";
> flow:to_server,established; nocase;
>  classtype:web-application-attack; sid:981;  rev:5;)
>
>
> Note that on 1.8.7 it uses the 'flags:A+' setup. 
> That used to be prone to a
> lot of false postives and so 'flow' was added.
>
> > It does look for the "flow:to_server,
> established", but I am establishing a
> > session before sending the packets. I am doing
> tcpdump of the traffic
> > between my attacking machine and the machine being
> attacked.I am writing the
> > output of tcpdump into a file and using this
> tcpdump formatted file as input
> > to Snort.These were the same steps that I followed
> in Snort-1.8.7. Am I
> > missing out something?As I mentioned earlier, I am
> establishing a session
> > before firing the packets.
>
> One thing that you might be getting the problem from
> is that the snaplen of
> tcpdump is 64bytes where snort's is 1514bytes. 
> Usually, w/tcpdump you only
> get the headers and a small bit of the data, unless
> you explicitly change the
> snaplen.
>
> Try recording the session using a bigger snaplen or
> with snort.  Fire the
> exploit and see if you can get a capture.  Once you
> get that try running the
> newcapture thru snort and see what you are getting. 
> Something like 'snort -b
> <options> "host <victim>" ' should get the capture
> you need.  Then 'snort
> -vader <logfile>' would run the data on the screen.
>
> Good luck!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?http://www.viaverio.com/
consolidator/osdn.cfm


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users