Snort mailing list archives
Re: (no subject)
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 19 Aug 2017 02:03:34 +0000
Try this. For the traffic I just curled to facebook. Then I added your rule to a stripped down conf file. [alewis@localhost snort-2.9.9.0-released]$ ./bin/snort -c etc/facebook.conf -r etc/facebook.pcap -Acmg -q 08/18-09:34:12.842568 [**] [1:1000002:1] entro a facebook [**] [Priority: 0] {TCP} 31.13.69.228:80 -> 10.0.2.15:48728 08/18-09:34:12.842568 52:54:00:12:35:02 -> 08:00:27:09:EE:69 type:0x800 len:0x18C 31.13.69.228:80 -> 10.0.2.15:48728 TCP TTL:64 TOS:0x0 ID:43349 IpLen:20 DgmLen:382 ***AP*** Seq: 0xC44A02 Ack: 0x8304A741 Win: 0xFFFF TcpLen: 20 48 54 54 50 2F 31 2E 31 20 33 30 32 20 46 6F 75 HTTP/1.1 302 Fou 6E 64 0D 0A 4C 6F 63 61 74 69 6F 6E 3A 20 68 74 nd..Location: ht 74 70 73 3A 2F 2F 77 77 77 2E 66 61 63 65 62 6F tps://www.facebo 6F 6B 2E 63 6F 6D 2F 0D 0A 58 2D 46 42 2D 44 65 ok.com/..X-FB-De 62 75 67 3A 20 6E 55 4D 42 37 69 51 59 41 73 76 bug: nUMB7iQYAsv 47 36 4F 71 69 39 30 59 68 79 71 55 75 57 72 64 G6Oqi90YhyqUuWrd 2F 4B 46 55 6C 37 75 33 6E 73 2B 71 79 55 76 41 /KFUl7u3ns+qyUvA 4B 72 4A 52 63 67 53 2B 58 62 33 71 6B 4A 42 34 KrJRcgS+Xb3qkJB4 4E 6B 7A 32 50 47 6D 2B 33 6E 79 62 64 50 51 57 Nkz2PGm+3nybdPQW 5A 4D 4B 59 35 4F 46 32 70 48 67 3D 3D 0D 0A 44 ZMKY5OF2pHg==..D 61 74 65 3A 20 46 72 69 2C 20 31 38 20 41 75 67 ate: Fri, 18 Aug 20 32 30 31 37 20 31 33 3A 33 36 3A 31 34 20 47 2017 13:36:14 G 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 MT..Content-Leng 74 68 3A 20 30 0D 0A 43 6F 6E 74 65 6E 74 2D 54 th: 0..Content-T 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 3B 20 ype: text/html; 63 68 61 72 73 65 74 3D 55 54 46 2D 38 0D 0A 56 charset=UTF-8..V 69 61 3A 20 31 2E 31 20 72 74 70 35 2D 64 6D 7A ia: 1.1 rtp5-dmz 2D 77 73 61 2D 36 2E 63 69 73 63 6F 2E 63 6F 6D -wsa-6.cisco.com 3A 38 30 20 28 43 69 73 63 6F 2D 57 53 41 2F 31 :80 (Cisco-WSA/1 30 2E 31 2E 31 2D 32 33 35 29 0D 0A 43 6F 6E 6E 0.1.1-235)..Conn 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 ection: keep-ali 76 65 0D 0A 0D 0A ve.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of Omar Johnatan Lopez Carrillo <olopez () utc edu mx<mailto:olopez () utc edu mx>> Date: Friday, August 18, 2017 at 9:30 AM To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: [Snort-users] (no subject) Buenos días amigos tengo la siguiente regla pero no me manda alerta, pido de su ayuda para saber que es lo que estoy haciendo mal alert tcp any any -> any any (content:"https://www.facebook.com";msg:"entro a facebook";sid:1000002;rev:001;) saludos -- Ing. Omar J. Lopez Carrillo Soporte Técnico Universidad Tecnológica de Coahuíla Tel: 288 388 00 ext: 173
Attachment:
facebook.conf
Description: facebook.conf
Attachment:
facebook.pcap
Description: facebook.pcap
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: (no subject), (continued)
- Re: (no subject) Omar Johnatan Lopez Carrillo (Aug 02)
- (no subject) Omar Johnatan Lopez Carrillo (Aug 08)
- Re: (no subject) Paulo Angelo (Aug 09)
- (no subject) Omar Johnatan Lopez Carrillo (Aug 09)
- Re: (no subject) Marcin Dulak via Snort-users (Aug 09)
- Re: (no subject) Joel Esler (jesler) via Snort-users (Aug 09)
- Re: (no subject) Marcin Dulak via Snort-users (Aug 09)
- (no subject) Михаил Локтионов via Snort-users (Aug 15)
- (no subject) Marco Bonilla via Snort-users (Aug 17)
- (no subject) Omar Johnatan Lopez Carrillo (Aug 18)
- Re: (no subject) wkitty42 (Aug 18)
- Re: (no subject) Al Lewis (allewi) via Snort-users (Aug 18)
- (no subject) stephane Eteme via Snort-users (Sep 13)
- (no subject) salah ali via Snort-users (Sep 20)
- (no subject) Paul O'Brien via Snort-users (Sep 30)
- (no subject) marcel cahya via Snort-users (Sep 30)