Snort mailing list archives
Re: TCP packets detection problem ?
From: Antonio Eugenio Villar <eugeniovillar () yahoo com>
Date: Mon, 19 Apr 2004 06:58:52 -0700 (PDT)
I am having problems to use content in Snort 2.x.x. These problems do not appear in snort 1.9.0. If you want to try 1.9.0 to see if it works let me know. --- Michal Kowalski <x145 () wp pl> wrote:
Hello Here is my snort.conf: var HOME_NET any var EXTERNAL_NET any var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 preprocessor frag2 preprocessor stream4: detect_scans,disable_evasion_alerts preprocessor stream4_reassemble ruletype test1 { type alert } test1 tcp any any <> any any (content:"KaZaA";msg: "KAZAA TRAFFIC";) test1 tcp any any <> any any (msg: "ALL";) So i want to detect KAZAA TCP traffic. But when i launch snort with such configuration: snort -D -d -A fast -c /usr/local/etc/snort.conf i receive in logs only ALL logs, while i'm using KAzaa client, morover in ALL logs there are many strings KaZaA for example: [**] ALL [**] 04/19-08:18:04.861058 64.14.61.77:1439 -> 10.0.3.11:4164 TCP TTL:51 TOS:0x0 ID:9116 IpLen:20 DgmLen:222 DF ***AP*** Seq: 0xA6E23B76 Ack: 0xEEA015A8 Win: 0x1920 TcpLen: 20 48 54 54 50 2F 31 2E 30 20 35 30 33 20 53 65 72 HTTP/1.0 503 Ser 76 69 63 65 20 55 6E 61 76 61 69 6C 61 62 6C 65 vice Unavailable 0D 0A 52 65 74 72 79 2D 41 66 74 65 72 3A 20 33 ..Retry-After: 3 30 30 0D 0A 58 2D 4B 61 7A 61 61 2D 55 73 65 72 00..X-Kazaa-User 6E 61 6D 65 3A 20 41 6D 69 73 73 61 6E 6E 32 54 name: Amissann2T 4D 4F 0D 0A 58 2D 4B 61 7A 61 61 2D 4E 65 74 77 MO..X-Kazaa-Netw 6F 72 6B 3A 20 4B 61 5A 61 41 0D 0A 58 2D 4B 61 ork: KaZaA..X-Ka So why snort can not detect this traffic ? Interesting thing is if write on irc word KaZaA it's detected properly. Could anybody help ? Thanx Michal ---------------------------------------------------- Balet Kremlowski! Bogactwo dekoracji, 70 profesjonalnych tancerzy, ponad 100 strojów od Nina Ricci. Sprawd¼ w swoim mie¶cie!
http://klik.wp.pl/?adr=http%3A%2F%2Fwiadomosci.wp.pl%2Fwiadomosc.html%3Fwid%3D5131093&sid=162
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25¢ http://photos.yahoo.com/ph/print_splash ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP packets detection problem ? Michal Kowalski (Apr 18)
- Re: TCP packets detection problem ? Antonio Eugenio Villar (Apr 19)
- Re: TCP packets detection problem ? Josh Berry (Apr 19)