Snort mailing list archives
Re: test string not alerting
From: <snort () outlook com>
Date: Thu, 27 Aug 2015 20:38:13 +0000
While you are at it, may I also suggest visiting the http content modifiers? They allow You to specify where exactly in the response to look for your content; headers, body, etc. This can help ease debugging. Also, is the Snort VM NIC setup to be promiscuous and on the same vSwitch you are monitoring? Sent from Mobile Sent from Mobile On Thu, Aug 27, 2015 at 1:32 PM -0700, "Sean" <sean.barmettler () gmail com> wrote: response (from a website's content), and no. I'm looking for content on a website that shouldnt be there. I was going to try egress traffic after that. Havent tried using the flow content modifier, no, but I'll attempt that tonight. On Thu, Aug 27, 2015 at 2:18 PM, Y M <snort () outlook com> wrote:
Is the content you are matching against in the request or response? Have you tried the same rule using the flow content modifier? Sent from Mobile On Thu, Aug 27, 2015 at 12:05 PM -0700, "Sean" <sean.barmettler () gmail com> wrote: I can do a simple ICMP alert that works: alert icmp any any -> 20.1.1.10 any ( msg: "ICMP packet to high value target!"; sid: 1; rev:1; priority: 1;) Yet I cant create a simple text string detector to detect HTML strings: alert tcp any any <> any any (msg:"somebody farted"; content:"poop"; sid: 2; rev:2; priority: 1;) I wouldnt waste a mailing lists time with this, but I've setup an entire ESXI lab with routers, switches, security monitors, and THIS.. THIS is what is stumping me. hints/clues/suggestions welcome. thanks. Sean
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- test string not alerting Sean (Aug 27)
- Re: test string not alerting Al Lewis (allewi) (Aug 27)
- Re: test string not alerting Y M (Aug 27)
- Re: test string not alerting Sean (Aug 27)
- Re: test string not alerting snort (Aug 27)
- Re: test string not alerting Sean (Aug 27)
- Re: test string not alerting waldo kitty (Aug 27)