Snort mailing list archives

Re: Problems using flow quantifier

From: Research <research () nativemethods com>
Date: Thu, 5 Mar 2015 14:41:33 -0500


On Mar 5, 2015, at 2:25 PM, lists () packetmail net wrote:

On 03/05/2015 12:48 PM, Research wrote:

     sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

I am wondering what I am doing incorrectly ?


A very well formed, respectful, asked question -- thank you for that.  Add '-k
none' do reply if this does or does not fix it.  I am happy to help.

Cheers,
Nathan Fowler


Hi Nathan,

Thank you for your response.

I modified the command line with the -k none argument as you suggested:

        sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -k none -D

…and then tested the rule and successfully received an alert in alerts.log!

I iterated on the rule and made it a bit more specific:

        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
                (msg:"Web crawl attempt: robots.txt"; flow:established,to_server; content:"/robots.txt"; sid:10000002; 
rev:002;)

…and am happy to say that this was successful as well.  It managed to pick up the Bing bot spidering my site.

I checked the man page for the -k argument and note that the -k none option does the following:

        "None turns off the entire checksum verification subsystem.”

Out of curiosity, why was that causing problems ?  My web server is on a cloud instance - are the virtualized NIC’s not 
able to calculate checksums correctly and were interfering with rule detection (i.e.: Snort was seeing an invalid 
checksum and discarding the packet instead of running the rule on it) ?

Thank you.


        
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
  - Re: Problems using flow quantifier Research (Mar 05)
    - Re: Problems using flow quantifier lists () packetmail net (Mar 05)
    - Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)
    - Re: Problems using flow quantifier lists () packetmail net (Mar 05)
    - Re: Problems using flow quantifier Research (Mar 05)
    - Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)