Snort mailing list archives
Re: Rules not hit on 2.9.1.1 sensor
From: Peter Bates <peter.bates () ucl ac uk>
Date: Fri, 21 Oct 2011 12:51:04 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello again all... I tried to pinpoint my problem by performing packet captures on my 2.9.1.1 sensor and my 2.8.6 sensor. The 2.9.1.1 sensor would consistently alert from captures made on the older system: snort -c /etc/snort/pcap.conf -r spyeye.pcap -A console -q -O 10/20-17:32:16.442956 [**] [1:2012686:1] ET TROJAN SpyEye Checkin version 1.3.25 or later [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62074 -> xxx.xxx.xxx.xxx:8080 But detected nothing in the capture on the newer system. I've now swapped the systems around so the 2.9.1.1 system is 'behind' the firewall and it is seeing everything I'm expecting - so there's clearly an oddity with my SPAN sport that is in front of my firewall. I've got pcaps from both sides but haven't gone as far as looking at the difference between the two but clearly post-firewall some of the packets are being lost. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOoVyoAAoJELhVoVpEMS6RsNUH/Ru5DSoA8rUmHtQJKccn3XA6 Gd3G3GslphvdvgbdkjiE31tmtJmhFZpXR1kegqf8w7RvY1XGiKmGpb8KCMu6BIbK bKHPRElSBg1aAIHL68it5darZlg0LHLNmZqUKyCSWh8kmUrCmdMFTnd7RkOdKG0p qM3HesHroKVPuYt/KduTqxBzcU/z4pmJotjGPoqla67ESwkm+lbIcSOFK4r0uaE5 2OjyBC6ssk9T6nJrT4HNb+3bLB1YMtTyQudoZ2+R6qc1AFDI/BpgrYWTz+Xub+gX MshvfE6QQ/0wRwQrQjsg8IVbobVhASNvf4iU8VymZDSrirXVUnc6xsrPc51R3l4= =mqzY -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)