Snort mailing list archives

Re: New in using snort by some troubles

From: Joel Esler <jesler () sourcefire com>
Date: Sun, 25 Apr 2010 06:31:00 -0700

Are you trying to detect this on the same box that you are generating the traffic on?  Try adding -k none to your 
command line. 

--
Sent from my iPad
AIM: eslerjoel

On Apr 24, 2010, at 10:00 PM, supercodeing35271 supercodeing35271 <supercodeing35271 () gmail com> wrote:

Hi,i have some troubles in snort.The situation is that i want to test
whether snort can detect the SQL injection attack to my website,so i
need to catch the http form datas send to my website server which is
the tomcat.
the rule file is just below,
myrule.rules:
include /home/my/mysnort/myrule/classification.config
preprocessor stream5_global: \
   max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no

preprocessor stream5_tcp: \
   policy first, use_static_footprint_sizes

preprocessor stream5_udp: \
   ignore_any_rules


preprocessor http_inspect: \
   global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: \
   server default profile all ports { 80 }


alert tcp any any -> any any (msg:"SQL Injection - Paranoid";
flow:to_server,established;uricontent:".jsp";content:"jjjjjjjjjj";classtype:Web-application-attack;
sid:39099;)
Ok,now open the snort:
sudo snort -i lo -l ./log -c /home/my/mysnort/myrule/myrule.rules
the snort is running,just there is a message says that "Not Using
PCAP_FRAMES",i don't konw what this meanning about.
Now open the eclipse,run the tomcat,then run my website program in
eclipse.In default.jsp page,there is a form submit which just as a
login function,now i put the username "jjjjj" and password "jjjjj",and
click the submit button,the login datas must be send to tomcat for a
handle.
If everything is OK,in the alert file i should see the "SQL Injection
- Paranoid",but in the file i only see a lot of "Bad Traffic Same
Src/Dst".


now what should i do?As a new player with snort it seems that i have
several wrong places,but exactly i don't know where is the wrong place
at.
So please give me a help,thanks!

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

New in using snort by some troubles supercodeing35271 supercodeing35271 (Apr 24)
- Re: New in using snort by some troubles Joel Esler (Apr 25)