Snort mailing list archives
Re: Snort not generating alert
From: Qasim Javed <qasim.javed () ebryx com>
Date: Mon, 30 Nov 2015 18:19:41 +0500
*Yeah sure!* Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan On 30 November 2015 at 17:38, Al Lewis (allewi) <allewi () cisco com> wrote:
Great! You may still want to change the rule to use one of the http rule keywords so that ONLY the http header is searched for the status code/http response. Either way the choice is yours. Cheers! Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Qasim Javed [mailto:qasim.javed () ebryx com] *Sent:* Monday, November 30, 2015 3:08 AM *To:* Al Lewis (allewi) *Cc:* snort-users () lists sourceforge net; Fahim Abbasi *Subject:* Re: [Snort-users] Snort not generating alert Hi, I read your snort configuration file and made a little change from *config paf_max: 16000* to *config paf_max: 63780 *in snort.conf and my rule started to work.I think, there is no need to change anything other than that. Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan On 30 November 2015 at 11:28, Qasim Javed <qasim.javed () ebryx com> wrote: Thanks for your support.You made my day,it worked! Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan On 30 November 2015 at 02:44, Al Lewis (allewi) <allewi () cisco com> wrote: Hello, Attached are the conf, pcap and log. I chose to use the http_stat_code with a value of ‘200’ in your rule since you were looking for the server response I code. alert tcp any any -> any any (sid:100015; rev:1; msg:"both contents found"; flow:to_client,established;content:"200"; http_stat_code; content:"prevDays=new Arr"; nocase;) Command I used: ./bin/snort -c etc/JAVED.conf -r etc/JAVED.pcap -Acmg -H -U -k none -q 06/16-18:20:10.416489 [**] [1:100015:1] both contents found [**] [Priority: 0] {TCP} 63.116.243.97:80 -> 192.168.1.3:58816 Stream reassembled packet 06/16-18:20:10.416489 00:26:62:2F:47:87 -> 00:1D:60:B3:01:84 type:0x800 len:0x5F88 63.116.243.97:80 -> 192.168.1.3:58816 TCP TTL:64 TOS:0x0 ID:43234 IpLen:20 DgmLen:24442 DF ***A**** Seq: 0xA3C480A0 Ack: 0xE5943F77 Win: 0xAA00 TcpLen: 32 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: 20 32 33 38 35 38 0D 0A 43 6F 6E 74 65 6E 74 2D 23858..Content- 54 79 70 65 3A 20 74 65 78 74 2F 6A 61 76 61 73 Type: text/javas 63 72 69 70 74 0D 0A 4C 61 73 74 2D 4D 6F 64 69 cript..Last-Modi 66 69 65 64 3A 20 57 65 64 2C 20 31 36 20 4A 75 fied: Wed, 16 Ju 6E 20 32 30 31 30 20 31 37 3A 32 35 3A 31 34 20 n 2010 17:25:14 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67 GMT..Accept-Rang 65 73 3A 20 62 79 74 65 73 0D 0A 45 54 61 67 3A es: bytes..ETag: 20 22 30 37 39 37 35 65 31 37 38 64 63 62 31 3A "07975e178dcb1: 35 33 33 33 22 0D 0A 53 65 72 76 65 72 3A 20 4D 5333"..Server: M 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 36 2E 30 icrosoft-IIS/6.0 See here in the manual about the http_stat_code keyword: http://manual.snort.org/node32.html#SECTION004519000000000000000 You should also be able to use the ‘http_header’ option as YM mentions below. Hope this helps! Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Y M [mailto:snort () outlook com] *Sent:* Saturday, November 28, 2015 7:44 AM *To:* Qasim Javed *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Snort not generating alert I have looked at your files, but you may want to consider "flow" and "http_header" keywords in the rule posted. Try these and see if they help. Sent from Mobile _____________________________ From: Qasim Javed <qasim.javed () ebryx com> Sent: Friday, November 27, 2015 10:32 AM Subject: [Snort-users] Snort not generating alert To: <snort-users () lists sourceforge net> *Hi,* I am using *ubuntu 14.04 LTS* and have some problems while detecting some strings in payload of *pcap*. Actually the problem is that when i hit the pcap with snort rules file named *r1.rules* then *no alerts are generated*.Assuming that pcap,rules file are in same directory and *snort.config* is in */etc/snort/snort.conf *and i have enabled * TCP reassembly. * - *Command1 executed :* *sudo snort -c /etc/snort/snort.conf -A console -q -l /tmp -r "TCP_SACK.pcap" -k none * - *Rule which should trigger:* *alert tcp any any -> any any (sid:100014; rev:1; msg:"both contents found"; content:"HTTP/1.1 200 OK"; nocase; content:"prevDays=new Arr"; nocase;)* - *Output1* : *no alert generated* - *Command2 executed *: * sudo snort -c /etc/snort/snort.conf -A cmg -q -l /tmp -r "TCP_SACK.pcap" -k none * - *Output2 : *This command generates *http-response* *stream* and it has* both contents* which are in rule to be matched and it should generate alert but snort is *not generating alert *while both contents are present in output stream generated using switch *-A cmg *instead of *-A console. * * I have attached response file named "r1_response.txt"(i.e. output generated while executing command2) , snort.conf, r1.rules,* * TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and let me know the solution.* Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort not generating alert Qasim Javed (Nov 26)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 30)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Y M (Nov 28)