Snort mailing list archives
Re: gzip decompress search fails.
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 8 Aug 2016 16:50:08 +0000
2.9.6.0 has been EOL for a few years. Please download Snort and compile from scratch. Install guides are available on the Documents page on Snort.org<http://snort.org>. Sent from my iPhone On Aug 8, 2016, at 12:41 PM, fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail com>> wrote: Hi Joel, I am running snort on : Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux And I installed snort using debian packages i.e by 'apt-get install snort'. The version of snort that got installed is Version 2.9.6.0 GRE (Build 47) I am attaching the snort.conf file that I currently have. I tried a simple content rule and it worked fine, but when I tried rule with "file_data" as ab attribute then it never gets triggered (I generated the relevant traffic that should trigger that rule). Also below are the two rules in my local.rules (first one is not working): alert tcp any any <> any any (msg:"SEEN-file_data-PhoneNo";file_data;content:"3028314317";nocase;sid:9000003;rev:1;) alert tcp any any <> any any (msg:"SEEN-content";content:"a";nocase;sid:9000002;rev:1;) P.S: I tried all possible ways to troubleshoot this issue but couldn't make it worked, hence thought that it could be Ubuntu snort version is broken. Thanks, Fatema. On Mon, Aug 8, 2016 at 9:07 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: Can you attach a sanitized version of your snort.conf here? -- Joel Esler Manager Open Source Talos Group http://www.talosintelligence.com On Aug 3, 2016, at 1:21 PM, fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail com>> wrote: Hi, I wanted to test this rule using snort, just as a starting point, and think that snort fails to decompress the file data and hence the rule is never triggered. Any what I am missing? alert tcp any any <> any any (msg:"SEEN-1234565555-file_data";file_data;content:"1234565555";nocase;sid:9000003;rev:1;) Please help me on this, this is kinda an urgent issue for me to solve this. Thanks, Fatema. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! <snort.conf>
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- gzip decompress search fails. fatema bannatwala (Aug 03)
- Re: gzip decompress search fails. Joel Esler (jesler) (Aug 08)
- Re: gzip decompress search fails. fatema bannatwala (Aug 08)
- Re: gzip decompress search fails. Joel Esler (jesler) (Aug 08)
- Re: gzip decompress search fails. fatema bannatwala (Aug 08)
- Re: gzip decompress search fails. Joel Esler (jesler) (Aug 08)