Snort mailing list archives
Re: writting alert rules
From: Marcos Rodriguez <marcos.e.rodriguez () gmail com>
Date: Thu, 1 Nov 2012 18:42:24 -0400
On Thu, Nov 1, 2012 at 6:15 PM, Akinwale Fasuru <fashman2k1 () yahoo com>wrote:
Hi,
I wrote a rule for alert on visiting www.youtube.com
alert rule
alert tcp any any => any any (msg:"someone is on youtube now!"; content:"
www.youtube.com"; sid:1000002;rev:1;)
Here is the response i got when i go on youtube
10/25-22:29:59.126487 [**] [129:15:1] Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
157.56.134.97:80 -> 192.168.64.133:42987
Can somebody help pls, not sure what is wrong
Hiya Wale,
Three things:
1. Change the => to ->
2. The preprocessor.rules is very noisy, especially when experimenting, so
I suggest you comment that out in your snort.conf.
3. Try adding -k none to your command line when running snort.
I tried your rule with the corrected -> addition and here's the output:
11/01-18:28:14.996926 [**] [1:1000002:1] someone is on youtube now! [**]
[Priority: 0] {TCP} 192.168.1.3:60116 -> 74.125.228.35:80
11/01-18:28:14.996926 74:E5:0B:68:B9:10 -> 00:26:62:BD:9D:00 type:0x800
len:0x204
192.168.1.3:60116 -> 74.125.228.35:80 TCP TTL:64 TOS:0x0 ID:31874 IpLen:20
DgmLen:502 DF
***AP*** Seq: 0xBC4AEEDF Ack: 0x3C5987D6 Win: 0x1BF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1547177202 1489490244
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- writting alert rules Akinwale Fasuru (Nov 01)
- Re: writting alert rules Marcos Rodriguez (Nov 01)
- Re: writting alert rules Jefferson, Shawn (Nov 01)
- Re: writting alert rules Akinwale Fasuru (Nov 02)
- Re: writting alert rules waldo kitty (Nov 02)
- Re: writting alert rules waldo kitty (Nov 02)
- Re: writting alert rules Marcos Rodriguez (Nov 01)