Snort mailing list archives

can't execute a rule.

From: "samwun" <samwun () hgcbroadband com>
Date: Wed, 13 Aug 2003 23:03:36 +0800


Hi,

I want to give alert/warning of the following tcpdump capture:

23:43:20.976543 192.168.1.20.1203 > hgate.8888: P 1:44(43) ack 1 win 
5840 <nop,nop,times tamp 215985196 1531525> (DF) (ttl 64, id 63020)
  0000: 4500 005f f62c 4000 4006 1ba4 c0a8 0114  E.._ö,@.@..¤À¨..
   0010: zzzz xxxx 04b3 22b8 1bcb 5a04 356c aa1a  Ú½.N.³"¸.ËZ.5lª.
   0020: 8018 16d0 6ccc 0000 0101 080a 0cdf ac2c  ...ÐlÌ.......ß¬,
   0030: 0017 5e85 504f 5354 202f 696e 6465 782e  ..^.POST /index.
   0040: 6874 6d6c 3f63 7261 703d 3130 3630 3730  html?crap=106070
   0050: 3138                                     18

I've tried all the following rules are not working:

alert tcp any any -> any any (msg:"WEB-MISC 0 crap=10601855 access ";
flow:to_server,established; uricontent:"/index.html?crap="; sid:1000001;
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC 1
crap=10601855 access "; flow:to_server,established;
uricontent:"/index.html?crap="; sid:1000001; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC 2
crap=10601855 access "; flow:to_server,established;
uricontent:"/index.html?crap="; sid:1000001; rev:1;)

I also assigned the following variables and values in snort.conf file:

var HOME_NET 192.168.1.0/24
var EXTERNAL_NET 213.190.178.0/24
var HTTP_PORTS 8888


The snort command I used is:

Snort -c /usr/local/snort.2.0.0/etc/snort.conf

What should I do to make snort to work in this case?

Thanks
Sam




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

reading a new rule. samwun (Aug 10)
- Re: reading a new rule. Erek Adams (Aug 10)
  - RE: reading a new rule. samwun (Aug 10)
    - RE: reading a new rule. Erek Adams (Aug 11)
    - RE: reading a new rule. samwun (Aug 12)
    - can't execute a rule. samwun (Aug 13)
    - capture any packet with an none-continue ID number samwun (Aug 13)
    - Re: capture any packet with an none-continue ID number Erek Adams (Aug 13)
    - Re: capture any packet with an none-continue ID number Matt Kettler (Aug 13)