Snort mailing list archives
Re: Creating a simple rule.
From: Paul Halliday <paul.halliday () gmail com>
Date: Sat, 19 Nov 2005 16:51:13 -0400
The Packet: Transmission Control Protocol, Src Port: pptp (1723), Dst Port: 2428 (2428), Seq: 190, Ack: 2594307140, Len: 0 Source port: pptp (1723) Destination port: 2428 (2428) Sequence number: 190 (relative sequence number) Header length: 20 bytes Flags: 0x0004 (RST) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0x7b63 [correct] 0000 00 01 80 3b 0a 93 08 00 20 9f f9 5d 08 00 45 00 ...;.... ..]..E. 0010 00 28 3f e3 40 00 38 06 8e 58 8e e3 25 07 c0 a8 .(?.@.8..X..%... 0020 00 02 06 bb 09 7c 86 7b 29 36 00 00 00 00 50 04 .....|.{)6....P. 0030 00 00 7b 63 00 00 55 55 55 55 55 55 ..{c..UUUUUU The Rule: alert tcp any any -> any any (msg:"PPTP: Connection Failed"; content:"|00 50 04|"; classtype:misc-activity; sid:1000001; rev:1;) I know it shouldn't be 'any any' but I was trying to eliminate possibilities as to why it wouldn't work. This also probably isn't the best way to track this; I was just looking at the bleeding ssh connection rule, and it uses flags. I am just playing around. Thanks. On 11/19/05, Jason Brvenik <jasonb () sourcefire com> wrote:
On it's face that should work but there could be a number of problems with the rule or the packet. Can you provide the actual packet and rule you are testing with? Paul Halliday wrote:I am just trying to make a couple simple rules but they fail to fire. Can someone just clarify this: I am looking at a TCP packet with ethereal that looks like this: 06 bb 09 75 74 0c e2 c4 00 00 00 00 50 04 00 00 d4 4a 00 I want the rule to fire on the pattern 00 50 04 I have a rule that looks like: content:"|00 50 04|" yet it doesnt fire. Is there something that I have missed? Thanks. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
-- _________________ Paul Halliday http://pintumbler.com/ "Diplomacy is the art of saying "Nice doggie!" till you can find a rock." ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Creating a simple rule. Paul Halliday (Nov 19)
- Re: Creating a simple rule. Jason Brvenik (Nov 19)
- Re: Creating a simple rule. Paul Halliday (Nov 19)
- Re: Creating a simple rule. snort user (Nov 19)
- Re: Creating a simple rule. Jason Brvenik (Nov 19)
- Re: Creating a simple rule. Paul Halliday (Nov 19)
- Re: Creating a simple rule. snort user (Nov 19)
- Re: Creating a simple rule. Jason Brvenik (Nov 19)