Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort honeytoken config

From: Samuel Kidman <skidman () netwealth com au>
Date: Wed, 4 May 2016 05:23:44 +0000
Hello

I am trying to use snort to check for certain strings leaving an MSSQL database. The idea is if these are leaving the 
database then someone is doing queries they shouldn't be.

I have created a simple content rule:

alert tcp any 1433 -> any any (content: "HONEYTOKEN"; msg: "test honeytoken rule"; sid:1000001;)

If I query the database and run a packet capture on the snort machine, then feed the packet capture into snort (using 
the -r switch) the rule works as expected.

However, if I run snort in IDS mode (using -i switch) then the rule isn't triggered.

Does anyone know what could be happening?

Regards, Sam


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: