Snort mailing list archives
Re: Snort -Problem with rule -
From: 강명훈 <mhkang589 () gmail com>
Date: Tue, 2 May 2017 00:39:24 +0900
PCRE tries to check strings 'or+1=1'. Does strings 'or+(one or more)' actually exist in the packet? 2017-05-01 11:19 GMT+09:00 Al Lewis (allewi) <allewi () cisco com>:
Replay the pcap file into snort with the -r option. Check the manual for more info. http://manual-snort-org.s3- website-us-east-1.amazonaws.com/node8.html Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Joe Bowes <joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>> Reply-To: "joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>" < joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>> Date: Sunday, April 30, 2017 at 7:38 PM To: allewi <allewi () cisco com<mailto:allewi () cisco com>>, " younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>" < younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>>, 'snort-users' <snort-users () lists sourceforge net<mailto:snort- users () lists sourceforge net>> Subject: Re: [Snort-users] Snort -Problem with rule - Hello.....i am working on a class assignment.....having a hard time....need to learn how to export packets from wireshark into Snort.....any help greatly appreciated. Sent from Yahoo Mail on Android<https://overview.mail. yahoo.com/mobile/?.src=Android> On Sun, Apr 30, 2017 at 4:26 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: Hello, It may be easier to get help if you included a pcap of the traffic. Thanks. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> On 4/28/17, 9:05 PM, "younes.abderrahmane31 () gmail com<mailto:younes. abderrahmane31 () gmail com>" <younes.abderrahmane31 () gmail com<mailto:younes. abderrahmane31 () gmail com>> wrote:Hello everyone I am trying to test SQLI with a snort I have two machines: 1- Where I installedSNORT, and the application dvwa (to test sqlinjection)2- The machine which is going to make the attack Sqli injection on thedvwa applicationSo in the first machine I added this rule (in local.rule), To detect Sqli (https://www.linkedin.com/pulse/detecting-sql-injections-real-time-mission-impossible-val-smirnov)************************************************************ alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injectionattempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only; http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ferruh.mavituna. com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:10000002; rev:002;)************************************************************** And after the test sudo snort -T -c /etc/snort/snort.conf -i eth0 sudo snort -A console -c /etc/snort/snort.conf -i eth0 Snort detect nothing (for exemple ‘1or1=1#) But when I deleted the part pcre of the rule, snort detect it **********************************************************************************************alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injectionattempt"; flow:to_server,established; content:"1%3D1"; sid:10000002; rev:002;)***********************************************************************************************Someone can help me, why the first rule does not work (pcre ) Thank's. Sent from Mail for Windows 10------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge netGo to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- ----------------------- Kang Myoung-hun ----------------------- +82-10 6604 6084 kangmyounghun.blogspot.kr ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort -Problem with rule - younes.abderrahmane31 (Apr 28)
- Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)
- Re: Snort -Problem with rule - Joe Bowes (Apr 30)
- Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)
- Re: Snort -Problem with rule - 강명훈 (May 01)
- Re: Snort -Problem with rule - Younes Abderrahmane (May 01)
- Re: Snort -Problem with rule - Joe Bowes (Apr 30)
- Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)