Snort mailing list archives
Re: New in using snort by some troubles
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 25 Apr 2010 06:31:00 -0700
Are you trying to detect this on the same box that you are generating the traffic on? Try adding -k none to your command line. -- Sent from my iPad AIM: eslerjoel On Apr 24, 2010, at 10:00 PM, supercodeing35271 supercodeing35271 <supercodeing35271 () gmail com> wrote:
Hi,i have some troubles in snort.The situation is that i want to test whether snort can detect the SQL injection attack to my website,so i need to catch the http form datas send to my website server which is the tomcat. the rule file is just below, myrule.rules: include /home/my/mysnort/myrule/classification.config preprocessor stream5_global: \ max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: \ policy first, use_static_footprint_sizes preprocessor stream5_udp: \ ignore_any_rules preprocessor http_inspect: \ global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: \ server default profile all ports { 80 } alert tcp any any -> any any (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".jsp";content:"jjjjjjjjjj";classtype:Web-application-attack; sid:39099;) Ok,now open the snort: sudo snort -i lo -l ./log -c /home/my/mysnort/myrule/myrule.rules the snort is running,just there is a message says that "Not Using PCAP_FRAMES",i don't konw what this meanning about. Now open the eclipse,run the tomcat,then run my website program in eclipse.In default.jsp page,there is a form submit which just as a login function,now i put the username "jjjjj" and password "jjjjj",and click the submit button,the login datas must be send to tomcat for a handle. If everything is OK,in the alert file i should see the "SQL Injection - Paranoid",but in the file i only see a lot of "Bad Traffic Same Src/Dst". now what should i do?As a new player with snort it seems that i have several wrong places,but exactly i don't know where is the wrong place at. So please give me a help,thanks! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New in using snort by some troubles supercodeing35271 supercodeing35271 (Apr 24)
- Re: New in using snort by some troubles Joel Esler (Apr 25)