Snort mailing list archives
Re: Snort not inspecting all traffic sourcing from itself?
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 9 Jun 2010 16:59:05 -0400
Try adding -k none to your Snort command line. -- Joel Esler Sent from my iPhone On Jun 9, 2010, at 4:45 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
Hello. I'm curious. I am running Snort 2.8.5.1 on an Ubuntu 8.04 web server and I have the following two very simple rules enabled (and nothing else): alert tcp any any -> any any (msg:"TCP SYN packet seen!"; flags:S; classtype:bad-unknown; sid:54002346; rev:1;) alert tcp any any -> any any (msg:"HTTP GET detected"; content:"GET"; nocase; classtype:bad-unknown; sid:68000036; rev:1;) Now before people start complaining, this is for testing only, not real rules so no need to criticise them. Anyway if I make a HTTP GET request from a different machine to the Snort machine (which is running a web server, remember), both rules fire. If the Snort machine serves up a web page that has the word "GET" in it, the rules fire again (different HTTP session). However, if I log on to the Snort machine, fire up a web browser, and start surfing, only the SYN rule fires despite the fact that "GET" is clearly in traffic when I do a tcpdump on it. So for some reason, Snort is not inspecting all traffic (although some since the SYN rule fired) sourcing from itself. Here are my Streams5 options in snort.conf: preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667 6668 6669 \ 7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 , \ ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128 6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \ 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 8000 8008 8028 8080 8180 8888 9999 preprocessor stream5_udp: timeout 180 Cheers, -L0rd Ch0de1m0rt --- --- --- --------------------------------------------------------------------- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Snort not inspecting all traffic sourcing from itself? L0rd Ch0de1m0rt (Jun 09)
- Re: Snort not inspecting all traffic sourcing from itself? Joel Esler (Jun 09)
- Message not available
- Re: Snort not inspecting all traffic sourcing from itself? L0rd Ch0de1m0rt (Jun 10)