Snort mailing list archives
Rules not hit on 2.9.1.1 sensor
From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 20 Oct 2011 13:43:17 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all... This is a different problem to my post the other day about "Weird double logging problem" - in fact it on an entirely different sensor on a different network. I have an old box running Snort 2.8.6, which is behind a firewall. I'm working on a new box running Snort 2.9.1.1 which (for various reasons) is in front of the firewall. We have a machine infected (helpfully in this case) with TDSS/TDL which triggers SID 2011894 (ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin) very consistently. The old box logs this - but the new box fails to alert. Running httpry on the new box, I do see the traffic, and have two pcaps which show the same event seen at both boxes but with slight millisecond differences - but Snort 2.9.x.x fails to alert. I'm running the snort.conf from the VRT ruleset download for 2.9.1.1 with just HOME_NET and EXTERNAL_NET changed. A test rule on both boxes: alert tcp any any -> any any (content:"GET /job/evil.exe "; content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;) - - does alert on both sensors so it would imply the http preprocessor is working but maybe the depth is wrong? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOoBdlAAoJELhVoVpEMS6Rtf4H/A/nlDZmnqcGFIoj76b1i4WO NNP9lC0Fop9g3njgvl694PT+yIMigllKjnGMIGe2Qrz6Ocj7CX0nYh1chiPQkFPY w4StehOKHcvJQ9GwnslBr5hD+POLkHTQGtGqRj5fax5MyOWBDORWLRl5cKOY7+Wm Lcck3wM3Ct0zNHU4eMuKejA7P9FcRlTy4EAyWFv4ioIOp5gdiU0Z4RWgIAD0gh9S I4Qo8PijA18QouiutxYO/kqlEAwuQ97LyeFqpOETYehybuwCagnoonaTWtz7GNDa PM2HvcoeJIJFfet9X2/abmNW5oaVcbOKihiKCcisjgJxZjIrRRKd+GgOTl5VR2M= =fEYw -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)