Snort mailing list archives
snort honeytoken config
From: Samuel Kidman <skidman () netwealth com au>
Date: Wed, 4 May 2016 05:23:44 +0000
Hello I am trying to use snort to check for certain strings leaving an MSSQL database. The idea is if these are leaving the database then someone is doing queries they shouldn't be. I have created a simple content rule: alert tcp any 1433 -> any any (content: "HONEYTOKEN"; msg: "test honeytoken rule"; sid:1000001;) If I query the database and run a packet capture on the snort machine, then feed the packet capture into snort (using the -r switch) the rule works as expected. However, if I run snort in IDS mode (using -i switch) then the rule isn't triggered. Does anyone know what could be happening? Regards, Sam
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort honeytoken config Samuel Kidman (May 03)