Snort mailing list archives

Rules not hit on 2.9.1.1 sensor

From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 20 Oct 2011 13:43:17 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all...

This is a different problem to my post the other day about "Weird
double logging problem" - in fact it on an entirely different sensor
on a different network.

I have an old box running Snort 2.8.6, which is behind a firewall.
I'm working on a new box running Snort 2.9.1.1 which (for various
reasons) is in front of the firewall.

We have a machine infected (helpfully in this case) with TDSS/TDL
which triggers SID 2011894 (ET TROJAN TDSS/TDL/Alureon MBR rootkit
Checkin) very consistently.

The old box logs this - but the new box fails to alert.

Running httpry on the new box, I do see the traffic, and have two
pcaps which show the same event seen at both boxes but with slight
millisecond differences - but Snort 2.9.x.x fails to alert.

I'm running the snort.conf from the VRT ruleset download for 2.9.1.1
with just HOME_NET and EXTERNAL_NET changed.

A test rule on both boxes:
alert tcp any any -> any any (content:"GET /job/evil.exe ";
content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1;
sid:4100005; rev:1;)

- - does alert on both sensors so it would imply the http preprocessor
is working but maybe the depth is wrong?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOoBdlAAoJELhVoVpEMS6Rtf4H/A/nlDZmnqcGFIoj76b1i4WO
NNP9lC0Fop9g3njgvl694PT+yIMigllKjnGMIGe2Qrz6Ocj7CX0nYh1chiPQkFPY
w4StehOKHcvJQ9GwnslBr5hD+POLkHTQGtGqRj5fax5MyOWBDORWLRl5cKOY7+Wm
Lcck3wM3Ct0zNHU4eMuKejA7P9FcRlTy4EAyWFv4ioIOp5gdiU0Z4RWgIAD0gh9S
I4Qo8PijA18QouiutxYO/kqlEAwuQ97LyeFqpOETYehybuwCagnoonaTWtz7GNDa
PM2HvcoeJIJFfet9X2/abmNW5oaVcbOKihiKCcisjgJxZjIrRRKd+GgOTl5VR2M=
=fEYw
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
  - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)