Snort mailing list archives
Re: how can we alert on web visiting activity?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 19 Nov 2009 16:42:15 -0500
This has bit us in the rear as well. Adding the following lines to your snort.conf file will also act the same as using the "-k" option. Here is a section of our snort.conf related to this: ---snip--- # # Dont drop stuff because of the checksum (snort -k) # config checksum_mode: none ---snip--- I am sure there is a great reason to allow packets to be ignored due to bad checksums, but having this be default behavior can cause some issues for users. I guess in theory the network devices/clients/servers should be disregarding the packets due to the bad checksums? -- Eoin mary andrews wrote:
got it, thats what it was, it worked!!!!! Many, MANY THANKS! m On Thu, Nov 19, 2009 at 3:56 PM, evilghost () packetmail net <mailto:evilghost () packetmail net> <evilghost () packetmail net <mailto:evilghost () packetmail net>> wrote: You may want to peek at the manual again. You turned off logging, not checksum checking. -k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none) -K <mode> Logging mode (pcap[default],ascii,none) -evilghost mary andrews wrote: > I tried it with the upper case K, still nothing. > > c:\snort\bin\snort -A console -i 2 -c c:\snort\etc\snort.conf -l > c:\snort\log -K none -s > > > > On Thu, Nov 19, 2009 at 3:13 PM, Joel Esler <jesler () sourcefire com <mailto:jesler () sourcefire com>> wrote: > > >> Well, I don't know anything about the flowbits problem you are talking >> about. >> >> But I did ask an email'ed questions to devel about the functionality of >> rawbytes since there may be some misunderstanding. >> >> But I wasn't provided any pcaps or anything of problems... >> >> J >> >> >> On Thu, Nov 19, 2009 at 2:25 PM, evilghost () packetmail net <mailto:evilghost () packetmail net> < >> evilghost () packetmail net <mailto:evilghost () packetmail net>> wrote: >> >> >>> It was effectively communicated to Joel Esler who forwarded it to SF >>> development. Flowbits are borked too by the way. >>> >>> Nigel Houghton wrote: >>> >>>> On Thu, Nov 19, 2009 at 2:01 PM, evilghost () packetmail net <mailto:evilghost () packetmail net> >>>> <evilghost () packetmail net <mailto:evilghost () packetmail net>> wrote: >>>> >>>> >>>>> What version of Snort are you using? I have had issues with content >>>>> matching working correctly in the 2.8 branch (as have others at >>>>> >>> Emerging >>> >>>>> Threats), I was able to get content matching to work as expected by >>>>> using the rawbytes option. See section 3.5.3 in the Snort manual. >>>>> >>>>> content:"ebay"; nocase; rawbytes; >>>>> >>>>> -evilghost >>>>> >>>>> >>>> If you have evidence to support your claim, we would like to see it. A >>>> bug report would be good, until then, please refrain from giving >>>> "advice" like this. Your recommendation is detrimental to performance. >>>> >>>> >>>> >>> ------------------------------------------------------------------------------ >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 >>> 30-Day >>> trial. Simplify your report design, integration and deployment - and focus >>> on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>> _______________________________________________ >>> Snort-sigs mailing list >>> Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs >>> >>> >> >> -- >> Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com <mailto:jesler () sourcefire com> >> >> >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus >> on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Snort-sigs mailing list >> Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs >> >> >> > > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: how can we alert on web visiting activity?, (continued)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? Nigel Houghton (Nov 19)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? Joel Esler (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? Matt Olney (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? Eoin Miller (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? Nigel Houghton (Nov 19)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? Weir, Jason (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)