Snort mailing list archives
Re: Question about rules
From: Ricardo Barbosa <ricardobarbosams () yahoo com br>
Date: Wed, 27 Jan 2010 11:00:33 -0800 (PST)
following output of command root@capsula:~# ldd /usr/sbin/snort linux-gate.so.1 => (0x008f2000) libpcre.so.3 => /lib/libpcre.so.3 (0x005dc000) libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0x001a8000) libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0x008f3000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0x00cce000) libprelude.so.2 => /usr/lib/libprelude.so.2 (0x001db000) libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00994000) libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00ef8000) libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00e7f000) libz.so.1 => /lib/libz.so.1 (0x0033f000) libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00110000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so..0 (0x0018c000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x0078d000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00355000) /lib/ld-linux.so.2 (0x00c5c000) libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00306000) root@capsula:~# Regards. --- Em qua, 27/1/10, rmkml <rmkml () free fr> escreveu: De: rmkml <rmkml () free fr> Assunto: Re: [Snort-users] Question about rules Para: "Ricardo Barbosa" <ricardobarbosams () yahoo com br> Cc: rmkml () free fr Data: Quarta-feira, 27 de Janeiro de 2010, 9:08 /usr/bin/ldd /usr/sbin/snort ? Regards Rmkml On Wed, 27 Jan 2010, Ricardo Barbosa wrote:
hello rmkml tested with the parameter-k none, however it did not work the lib pcap installed but I noticed this in the logs that he does not use it. getting a "snort not using pcap frames. Do I need to use to snort pcap lib? Is this the cause of it not quite get the http payload. Because I changed the rule and how I am doing tests from the browser text links changed the content:"Links" and it worked. I put the word "Links" because it oque appears in the wireshark logs. How do I enable the lib pcap with snort? I thank. Regards, --- Em qua, 27/1/10, rmkml <rmkml () free fr> escreveu: De: rmkml <rmkml () free fr> Assunto: Re: [Snort-users] Question about rules Para: "Ricardo Barbosa" <ricardobarbosams () yahoo com br> Cc: rmkml () free fr Data: Quarta-feira, 27 de Janeiro de 2010, 7:46 ok thx you, maybe you have a (network) pcap please? do you have tested adding "-k none" on cmd line start snort ? Regards Rmkml On Wed, 27 Jan 2010, Ricardo Barbosa wrote:Hi rmkml answering questionswhat snort version you test please?root@capsula:~# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.8.4.1 (Build 38) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 root@capsula:~#Do you send your conf?/etc/snort/snort.debian.conf DEBIAN_SNORT_STARTUP="boot" DEBIAN_SNORT_HOME_NET="20.0.0.0/8" DEBIAN_SNORT_OPTIONS="" DEBIAN_SNORT_INTERFACE="eth0" DEBIAN_SNORT_SEND_STATS="true" DEBIAN_SNORT_STATS_RCPT="root" DEBIAN_SNORT_STATS_THRESHOLD="1" /etc/snort/snort.conf var HOME_NET $eth0_ADDRESS var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH /etc/snort/preproc_rules dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } preprocessor dcerpc2 preprocessor dcerpc2_server: default preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted, trustservers output log_tcpdump: tcpdump.log include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-iis.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/community-oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/community-ftp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/community-nntp.rules include $RULE_PATH/community-sip.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/community-bot.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/experimental.rules include threshold.confsnort cmd line starting please?/usr/sbin/snort -m 027 -D -d -v -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[10.0.0.0/8] -i eth0for example, maybe disable checksum with '-k none' on cmd line... you have created a html page (http reply server side), and you have created a snort rule on client (to server) side... RegardsIn desperation, I tried the following rules alert tcp 10.0.0.0/8 80 -> any any (content:"teste rule"; msg:"TEST HTTP"; sid:100000000;) alert tcp any any <> any any (content:"teste rule"; msg:"TEST HTTP"; sid:100000000;) alert tcp any any <> any any (content:"teste rule"; http_client_body; msg:"TEST HTTP"; sid:100000000; depth:1000;) without sucess in all. no idea where i can be wrong or missing some pre-processador. I thank Regards. ____________________________________________________________________________________ Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com____________________________________________________________________________________ Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com
____________________________________________________________________________________ Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about rules Ricardo Barbosa (Jan 26)
- <Possible follow-ups>
- Re: Question about rules Ricardo Barbosa (Jan 27)
- Re: Question about rules Matt Olney (Jan 27)
- Re: Question about rules Ricardo Barbosa (Jan 27)
- Re: Question about rules Matt Olney (Jan 27)
- Re: Question about rules Ricardo Barbosa (Jan 27)
- Re: Question about rules Joel Esler (Jan 27)
- Re: Question about rules Ricardo Barbosa (Jan 27)