Re: Rules not hit on 2.9.1.1 sensor

[Martin Holste <mcholste () gmail com>]

The same happens on 2.9.1.1 when using a pcap readfile?

On Thu, Oct 20, 2011 at 9:42 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello again all
>
> On 20/10/2011 13:43, Peter Bates wrote:
> > I have an old box running Snort 2.8.6, which is behind a firewall.
> > I'm working on a new box running Snort 2.9.1.1 which (for various
> > reasons) is in front of the firewall.
>
> As a cross check I've compiled 2.8.6 on the 'new' box and also copied
> the working configuration from the 'old' box onto there.
>
> When I run it, my test rule:
>
> > A test rule on both boxes: alert tcp any any -> any any
> > (content:"GET /job/evil.exe "; content:"Host: zoneseekers.com";
> > msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;)
>
> is hit, but SIDs like
> 2012686 (ET TROJAN SpyEye Checkin version 1.3.25 or later)
> 2009486 (ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1) )
> 2011894 (ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin)
> ... which are being hit on the 'old' box are not seen at all on the new.
>
> Although the 'new' box is in front of the firewall I'm a bit lost as
> to why the traffic is being missed - although tcpdump/httpry does see
> the traffic.
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOoDNJAAoJELhVoVpEMS6R/WoH/34FnBHdO5WAaYc2s2WD7Sjo
> kEx5JhdeZTK/MniIu+jzLxthHWXGLIu2nCyRb1mt6VZ3gzv6y4DyPVotB0Tn0Yn9
> Kecq+dQLodU/VSD8mjqkJ72z0bLUdbA7ED9Sy9e2+V8zWKcrkctcXwhORdNL5Z/v
> 65tlBv4kGFipby5pnZJTU/hhU4HeVr2MVtQh/Zk5/FO1LaAtZdeyOzPgfc91FlLM
> O/QuH46ecriTDQvffw2VWY+l6ba4+T+ByfH89jV0BpcV494a87us7mzdeVW1+Fq3
> iUqTFaZqnd/30ZXKccoDNW1mdYLrwQWthttQBWkjMoy6XD+fs6zvjFD3x7GacvI=
> =N0jw
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!