Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort -Problem with rule -

From: Younes Abderrahmane <younes.abderrahmane31 () gmail com>
Date: Mon, 1 May 2017 14:46:34 -0700
*Hello,*

*Export your file in format pcap; later read it  with Snort ,*

*And  you can read multiple PCAPS from a file*

*Here are some links which can be useful*
 *Reading pcap files.
<http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node8.html>*Make
Your Network Secure with PCAP and Snort
<http://opensourceforu.com/2015/04/make-your-network-secure-with-pcap-and-snort/>


On Sun, Apr 30, 2017 at 4:38 PM, Joe Bowes <joebowes50 () yahoo com> wrote:


Hello.....i am working on a class assignment.....having a hard
time....need to learn how to export packets from wireshark into
Snort.....any help greatly appreciated.

Sent from Yahoo Mail on Android
<https://overview.mail.yahoo.com/mobile/?.src=Android>

On Sun, Apr 30, 2017 at 4:26 PM, Al Lewis (allewi)
<allewi () cisco com> wrote:
Hello,

    It may be easier to get help if you included a pcap of the traffic.

Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com








On 4/28/17, 9:05 PM, "younes.abderrahmane31 () gmail com" <
younes.abderrahmane31 () gmail com> wrote:


Hello everyone
I am trying to test SQLI with a snort
I have two machines:
1- Where I installedSNORT, and the application dvwa (to test sql

injection)

2- The machine which is going to make the attack Sqli injection on the

dvwa application


So in the first machine I added this rule (in local.rule), To detect Sqli
(https://www.linkedin.com/pulse/detecting-sql-

injections-real-time-mission-impossible-val-smirnov)

************************************************************
alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection

attempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only;
http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop,
policy security-ips drop, service http; reference:url,ferruh.mavituna.
com/sql-injection-cheatsheet-oku/; classtype:web-application-attack;
sid:10000002; rev:002;)

**************************************************************

And after the test
sudo snort -T -c /etc/snort/snort.conf -i eth0
sudo snort -A console -c /etc/snort/snort.conf -i eth0
Snort detect nothing (for  exemple ‘1or1=1#)

But when I deleted the part pcre of the rule, snort detect it
***********************************************************

***********************************

alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection

attempt"; flow:to_server,established; content:"1%3D1"; sid:10000002;
rev:002;)

***********************************************************

************************************



Someone can help me, why the first rule does not work  (pcre )
Thank's.


Sent from Mail for Windows 10


------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: