Snort mailing list archives
RE: rules with flow:established not working
From: "Ed Callahan" <snort () edcallahan com>
Date: Fri, 24 Oct 2003 15:23:01 -0500
Erek - The rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"test"; flow:established;) and the minimal snort.conf: var HOME_NET 10.2.2.50 var EXTERNAL_NET any preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble include c:/snort/etc/classification.config include c:/snort/etc/reference.config include c:/snort/rules/local.rules results in silence. (10.2.2.50 is the IP of the computer I'm debugging with.) The rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"test";) gets lots of hits when I visit the servers websites. Does anyone know how I could use tcpdump (well, windump in my case since I'm on a Win2003 server) to debug this problem? How does snort know the flow is established? Can I look at the packets to see if the problem is with the NIC/OS or with WinPCap/Snort? Ed Callahan snort () edcallahan com On Fri, 24 Oct 2003 Erek wrote:
Out of idle curiosity... Do you have HOME_NET and EXTERNAL_NET defined? If not, modify your rule so that it uses HOME_NET and EXTERNAL_NET. See if that makes a difference... The reason I'm asking is that I've got that set on my sensors here... I'm getting plenty-o-crap bouncing off of my boxes. I'm just playing the averages here... :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson On Fri, 24 Oct 2003, Ed Callahan wrote:Thanks for the idea Erek, but I get the absolute silence from that rule
as
well. I have removed "established" from all my rules and now am getting all
sorts
of snort reports of attacks on my IIS box (as expected), but with established back in there I get no IIS reports.
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- <Possible follow-ups>
- RE: rules with flow:established not working Schmehl, Paul L (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 25)
- RE: rules with flow:established not working Paul Schmehl (Oct 25)