Snort mailing list archives
can't execute a rule.
From: "samwun" <samwun () hgcbroadband com>
Date: Wed, 13 Aug 2003 23:03:36 +0800
Hi, I want to give alert/warning of the following tcpdump capture: 23:43:20.976543 192.168.1.20.1203 > hgate.8888: P 1:44(43) ack 1 win 5840 <nop,nop,times tamp 215985196 1531525> (DF) (ttl 64, id 63020) 0000: 4500 005f f62c 4000 4006 1ba4 c0a8 0114 E.._ö,@.@..¤À¨.. 0010: zzzz xxxx 04b3 22b8 1bcb 5a04 356c aa1a Ú½.N.³"¸.ËZ.5lª. 0020: 8018 16d0 6ccc 0000 0101 080a 0cdf ac2c ...ÐlÌ.......߬, 0030: 0017 5e85 504f 5354 202f 696e 6465 782e ..^.POST /index. 0040: 6874 6d6c 3f63 7261 703d 3130 3630 3730 html?crap=106070 0050: 3138 18 I've tried all the following rules are not working: alert tcp any any -> any any (msg:"WEB-MISC 0 crap=10601855 access "; flow:to_server,established; uricontent:"/index.html?crap="; sid:1000001; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC 1 crap=10601855 access "; flow:to_server,established; uricontent:"/index.html?crap="; sid:1000001; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC 2 crap=10601855 access "; flow:to_server,established; uricontent:"/index.html?crap="; sid:1000001; rev:1;) I also assigned the following variables and values in snort.conf file: var HOME_NET 192.168.1.0/24 var EXTERNAL_NET 213.190.178.0/24 var HTTP_PORTS 8888 The snort command I used is: Snort -c /usr/local/snort.2.0.0/etc/snort.conf What should I do to make snort to work in this case? Thanks Sam ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- reading a new rule. samwun (Aug 10)
- Re: reading a new rule. Erek Adams (Aug 10)
- RE: reading a new rule. samwun (Aug 10)
- RE: reading a new rule. Erek Adams (Aug 11)
- RE: reading a new rule. samwun (Aug 12)
- can't execute a rule. samwun (Aug 13)
- capture any packet with an none-continue ID number samwun (Aug 13)
- Re: capture any packet with an none-continue ID number Erek Adams (Aug 13)
- Re: capture any packet with an none-continue ID number Matt Kettler (Aug 13)
- RE: reading a new rule. samwun (Aug 10)
- Re: reading a new rule. Erek Adams (Aug 10)