Snort mailing list archives
Re: Content checking in Snort-2.8.3.2
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Tue, 27 Jan 2009 09:01:26 -0500
Maybe I missed something in the thread, but if your sending "the" as the pattern then "and<space>dir" the content in rule 3 isn't going to match. 61 6e 64 20 64 69 72 a n d <> d i r What happens when you test each rule individually? IE 4 snort.confs with only one rule in each Test 1: snort.conf with only 10001001 Test 2: snort.conf with only 10001002 Test 3: snort.conf with only 10001003 Test 4: snort.conf with only 10001004 Cheers, -matt On Tue, Jan 27, 2009 at 8:03 AM, bahamin takhtaei <b_takhtaei () yahoo com> wrote:
I run snort by these options: snort -Qc snort.conf Regards, Bahamin --- On Tue, 1/27/09, Joel Esler <eslerj () gmail com> wrote: From: Joel Esler <eslerj () gmail com> Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2 To: b_takhtaei () yahoo com Cc: "Leon Ward" <seclists () rm-rf co uk>, snort-users () lists sourceforge net Date: Tuesday, January 27, 2009, 7:59 AM What are your Snort command line options? J On Tue, Jan 27, 2009 at 2:19 AM, bahamin takhtaei <b_takhtaei () yahoo com> wrote:Hi Leon, Thanks for your attention. I run Snort in Inline mode and using IP_QUEUE. I add these rules to iptables: iptables -AINPUT -p tcp --dport 80 -j QUEUEiptables -A OUTPUT -p tcp --sport 80 -j QUEUE and It seems that the traffic arrives to Snort correctly. (Notice: I add an ICMP rule to local.rules: alert icmp any any -> any any (sid:100010010;msg:"icmp-cont-test";content:"abcdefgh";) and check it by sending ping request to Snort-machine: It's triggerd,so Ithink my Snort has a problem by tcp traffic?!) --- On Mon, 1/26/09, Leon Ward <seclists () rm-rf co uk> wrote: From: Leon Ward <seclists () rm-rf co uk> Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2 To: b_takhtaei () yahoo com Cc: "snort" <snort-users () lists sourceforge net> Date: Monday, January 26, 2009, 4:25 AM Hello On 25 Jan 2009, at 14:25, bahamin takhtaei wrote: Hi, I installSnort-2.8.3.2 and check some content-rules, but Snort can't matchany content with "content-length > 2" ! Snort can match more than that, So lets change the question slightly. What are you trying to match? Got a pcap? -Leon for example: I add these rules to local.rules: 1. alert tcp any any -> any any (sid:10001001; msg:"http-th";content:"th";nocase;) 2. alert tcp any any -> any any (sid:10001002;msg:"http-the";content:"the"; nocase;) 3. alert tcp any any -> any any (sid:10001003;msg:"http-hex"; content: "|2061 6e 64 20 64 69 72|"; nocase;) 4. alert tcp any any -> any any (sid:10001004;msg:"http-hex2"; content:"|2061|"; nocase;) ----------------------------------------------------------------------- then send a http-traffic to Snort-machine thatcontains many "the" pattern,but only rule1 and rule4 are triggerd. Why please? Notice: my snort.conf is a sample config file that there is on snort.org.------------------------------------------------------------------------------This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story.http://p.sf.net/sfu/sf-spreadtheword_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------This SF.net email is sponsored by: SourcForgeCommunitySourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler T: 302-223-5974 (-) iChat: eslerjoel (-) Gtalk: jesler () sourcefire com [m] ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 25)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Joel Esler (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Matt Watchinski (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- <Possible follow-ups>
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)