Snort mailing list archives
Re: Rules not hit on 2.9.1.1 sensor
From: Martin Holste <mcholste () gmail com>
Date: Thu, 20 Oct 2011 13:50:40 -0500
This rule: alert tcp any any -> any any (content:"GET /job/evil.exe "; content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;) Should be written like this for Snort > 2.9: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content:"GET"; http_method; content:"/job/evil.exe"; http_uri; content:"Host: zoneseekers.com"; nocase; http_header; msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;) On Thu, Oct 20, 2011 at 11:49 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all Apologies, I was being a bit stupid. snort -c /etc/snort/pcap.conf -r spyeye.pcap -A console -q -O 10/20-17:32:16.442956 [**] [1:2012686:1] ET TROJAN SpyEye Checkin version 1.3.25 or later [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62074 -> xxx.xxx.xxx.xxx:8080 10/20-17:34:48.278042 [**] [1:2012686:1] ET TROJAN SpyEye Checkin version 1.3.25 or later [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62088 -> xxx.xxx.xxx.xxx:8080 10/20-17:37:20.332410 [**] [1:2012686:1] ET TROJAN SpyEye Checkin version 1.3.25 or later [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62113 -> xxx.xxx.xxx.xxx:8080 So yes, my 2.9.1.1 sensor alerts from a pcap but not from the same traffic being received via afpacket/DAQ. However the simple GET rule: alert tcp any any -> any any (content:"GET /job/evil.exe "; content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;) is still firing when I test it. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOoFEGAAoJELhVoVpEMS6R4+AIAMAXkavAFgDo8Xpp8j8hY5cy UtksDL81Kb089A7gNJ8C/z46c7aVzSw+khEosErIyuaNNi+j1xR0fjQlxKcOfGkG 3b3KBtwIUq8an19tmRjqjY7c26dgbI3OuOWJN+MryMsqWmb184P4m2hoMSpCJJYW RrTbXI5VD9M/fWlkh1G8jGDsh+OzAIotjZL+zZIDtiAsW3HHKCXO1NRvpHeaeV56 BkYpPjAITHYiJvU2tBWZue41M6Ek2GHX8rDfSKsv8323+0Wr6g5BP2XAp1Ix36Sv t0dFayrU7sEb6nkzSrebMi0kUHHP7LECS3KmncnsDRAzn9EFo06UTwoKSo0S4gg= =37hR -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)