Snort mailing list archives
FW: snort with daq inline mode problem
From: <pawelsw1 () o2 pl>
Date: Sat, 31 Mar 2018 11:14:51 +0200
Hello, I have problem with snort. I see in log that he is dropping connection but tcp reset is sending after the operation is completed (create or drop table in database). I have rule that is checking that table in database id drop or create. Could You help me? drop tcp any any -> any 3306 (msg:"Block SQL Command : CREATE TABLE"; flow:from_client,established; content: "CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052203) snort -c /etc/snort/snort.conf -Q -i eth0:eth1 -A console [ Number of patterns truncated to 20 bytes: 0 ] afpacket DAQ configured to inline. Acquiring network traffic from "eth0:eth1". Reload thread starting... Reload thread started, thread 0x7f393bb31700 (11945) --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.11.1 GRE (Build 268) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0 <Build 1> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Commencing packet processing (pid=11936) Decoding Ethernet 03/30-22:13:04.167644 [Drop] [**] [1:65000004:0] Block SQL Command : DROP TABLE [**] [Priority: 0] {TCP} 10.0.0.19:63496 -> 10.0.0.17:3306 03/30-22:13:04.167633 [Drop] [**] [1:65000004:0] Block SQL Command : DROP TABLE [**] [Priority: 0] {TCP} 10.100.64.8:63496 -> 10.7.159.14:3306 --- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- FW: snort with daq inline mode problem pawelsw1 (Mar 31)