Snort mailing list archives
Re: Content checking in Snort-2.8.3.2
From: bahamin takhtaei <b_takhtaei () yahoo com>
Date: Tue, 27 Jan 2009 05:03:27 -0800 (PST)
I run snort by these options: snort -Qc snort.conf Regards, Bahamin --- On Tue, 1/27/09, Joel Esler <eslerj () gmail com> wrote: From: Joel Esler <eslerj () gmail com> Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2 To: b_takhtaei () yahoo com Cc: "Leon Ward" <seclists () rm-rf co uk>, snort-users () lists sourceforge net Date: Tuesday, January 27, 2009, 7:59 AM What are your Snort command line options? J On Tue, Jan 27, 2009 at 2:19 AM, bahamin takhtaei <b_takhtaei () yahoo com> wrote:
Hi Leon, Thanks for your attention. I run Snort in Inline mode and using IP_QUEUE. I add these rules to iptables: iptables -A INPUT -p tcp --dport 80 -j QUEUE iptables -A OUTPUT -p tcp --sport 80 -j QUEUE and It seems that the traffic arrives to Snort correctly. (Notice: I add an ICMP rule to local.rules: alert icmp any any -> any any (sid:100010010;
msg:"icmp-cont-test";
content:"abcdefgh";) and check it by sending ping request to Snort-machine: It's triggerd,
so I
think my Snort has a problem by tcp traffic?!) --- On Mon, 1/26/09, Leon Ward <seclists () rm-rf co uk> wrote: From: Leon Ward <seclists () rm-rf co uk> Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2 To: b_takhtaei () yahoo com Cc: "snort" <snort-users () lists sourceforge net> Date: Monday, January 26, 2009, 4:25 AM Hello On 25 Jan 2009, at 14:25, bahamin takhtaei wrote: Hi, I install Snort-2.8.3.2 and check some content-rules, but Snort can't
match
any content with "content-length > 2" ! Snort can match more than that, So lets change the question slightly. What are you trying to match? Got a pcap? -Leon for example: I add these rules to local.rules: 1. alert tcp any any -> any any (sid:10001001; msg:"http-th";
content:"th";
nocase;) 2. alert tcp any any -> any any (sid:10001002;
msg:"http-the";
content:"the"; nocase;) 3. alert tcp any any -> any any (sid:10001003;
msg:"http-hex"; content: "|20
61 6e 64 20 64 69 72|"; nocase;) 4. alert tcp any any -> any any (sid:10001004;
msg:"http-hex2"; content:"|20
61|"; nocase;) ----------------------------------------------------------------------- then send a http-traffic to Snort-machine that contains many
"the" pattern,
but only rule1 and rule4 are triggerd. Why please? Notice: my snort.conf is a sample config file that there is on snort.org.
------------------------------------------------------------------------------
This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Joel Esler
T: 302-223-5974 (-) iChat: eslerjoel (-) Gtalk: jesler () sourcefire com
[m]
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 25)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Joel Esler (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Matt Watchinski (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- <Possible follow-ups>
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)