Snort mailing list archives
Re: Snort not generating alert
From: Y M <snort () outlook com>
Date: Sat, 28 Nov 2015 12:44:04 +0000
I have looked at your files, but you may want to consider "flow" and "http_header" keywords in the rule posted. Try these and see if they help. Sent from Mobile _____________________________ From: Qasim Javed <qasim.javed () ebryx com<mailto:qasim.javed () ebryx com>> Sent: Friday, November 27, 2015 10:32 AM Subject: [Snort-users] Snort not generating alert To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Hi, I am using ubuntu 14.04 LTS and have some problems while detecting some strings in payload of pcap. Actually the problem is that when i hit the pcap with snort rules file named r1.rules then no alerts are generated.Assuming that pcap,rules file are in same directory and snort.config is in /etc/snort/snort.conf and i have enabled TCP reassembly. * Command1 executed : sudo snort -c /etc/snort/snort.conf -A console -q -l /tmp -r "TCP_SACK.pcap" -k none * Rule which should trigger: alert tcp any any -> any any (sid:100014; rev:1; msg:"both contents found"; content:"HTTP/1.1 200 OK"; nocase; content:"prevDays=new Arr"; nocase;) * Output1 : no alert generated * Command2 executed : sudo snort -c /etc/snort/snort.conf -A cmg -q -l /tmp -r "TCP_SACK.pcap" -k none * Output2 : This command generates http-response stream and it has both contents which are in rule to be matched and it should generate alert but snort is not generating alert while both contents are present in output stream generated using switch -A cmg instead of -A console. I have attached response file named "r1_response.txt"(i.e. output generated while executing command2) , snort.conf, r1.rules, TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and let me know the solution. Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road<x-apple-data-detectors://4> Lahore, Pakistan [http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000]
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort not generating alert Qasim Javed (Nov 26)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 30)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Y M (Nov 28)