Re: gzip decompress search fails.

[fatema bannatwala <fatema.bannatwala () gmail com>]

Hi Joel,

I am running snort on : Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu
SMP x86_64 x86_64 x86_64 GNU/Linux
And I installed snort using debian packages i.e by 'apt-get install snort'.
The version of snort that got installed is Version 2.9.6.0 GRE (Build 47)
I am attaching the snort.conf file that I currently have.

I tried a simple content rule and it worked fine, but when I tried rule
with "file_data" as ab attribute then it never gets triggered (I generated
the relevant traffic that should trigger that rule).
Also below are the two rules in my local.rules (first one is not working):

alert tcp any any <> any any
(msg:"SEEN-file_data-PhoneNo";file_data;content:"3028314317";nocase;sid:9000003;rev:1;)
alert tcp any any <> any any
(msg:"SEEN-content";content:"a";nocase;sid:9000002;rev:1;)

P.S: I tried all possible ways to troubleshoot this issue but couldn't make
it worked, hence thought that it could be Ubuntu snort version is broken.

Thanks,
Fatema.




On Mon, Aug 8, 2016 at 9:07 AM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> Can you attach a sanitized version of your snort.conf here?
>
> --
> *Joel Esler*
> Manager
> Open Source
> Talos Group
> http://www.talosintelligence.com
>
>
> On Aug 3, 2016, at 1:21 PM, fatema bannatwala <fatema.bannatwala () gmail com>
> wrote:
>
> Hi,
>
> I wanted to test this rule using snort, just as a starting point, and
> think that snort fails to decompress the file data and hence the rule is
> never triggered. Any what I am missing?
>
> alert tcp any any <> any any (msg:"SEEN-1234565555-file_dat
> a";file_data;content:"1234565555";nocase;sid:9000003;rev:1;)
>
> Please help me on this, this is kinda an urgent issue for me to solve this.
>
> Thanks,
> Fatema.
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

Attachment: snort.conf
Description:

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!