Re: Rules not hit on 2.9.1.1 sensor

[Joel Esler <jesler () sourcefire com>]

I don't know what the ET rules look like, however, it's possible that the rules aren't looking in the right buffers, or 
are incorrectly written for the buffers they are trying to address.

Much has changed in between 2.8.6 and 2.9.1.1.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Oct 20, 2011, at 12:49 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> Apologies, I was being a bit stupid.
>
> snort -c /etc/snort/pcap.conf -r spyeye.pcap -A console -q -O
>
> 10/20-17:32:16.442956  [**] [1:2012686:1] ET TROJAN SpyEye Checkin
> version 1.3.25 or later [**] [Classification: A Network Trojan was
> detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62074 ->
> xxx.xxx.xxx.xxx:8080
> 10/20-17:34:48.278042  [**] [1:2012686:1] ET TROJAN SpyEye Checkin
> version 1.3.25 or later [**] [Classification: A Network Trojan was
> detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62088 ->
> xxx.xxx.xxx.xxx:8080
> 10/20-17:37:20.332410  [**] [1:2012686:1] ET TROJAN SpyEye Checkin
> version 1.3.25 or later [**] [Classification: A Network Trojan was
> detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62113 ->
> xxx.xxx.xxx.xxx:8080
>
> So yes, my 2.9.1.1 sensor alerts from a pcap but not from the same
> traffic being received via afpacket/DAQ.
>
> However the simple GET rule:
> alert tcp any any -> any any (content:"GET /job/evil.exe ";
> content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1;
> sid:4100005; rev:1;)
>
> is still firing when I test it.
>
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division     Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJOoFEGAAoJELhVoVpEMS6R4+AIAMAXkavAFgDo8Xpp8j8hY5cy
> UtksDL81Kb089A7gNJ8C/z46c7aVzSw+khEosErIyuaNNi+j1xR0fjQlxKcOfGkG
> 3b3KBtwIUq8an19tmRjqjY7c26dgbI3OuOWJN+MryMsqWmb184P4m2hoMSpCJJYW
> RrTbXI5VD9M/fWlkh1G8jGDsh+OzAIotjZL+zZIDtiAsW3HHKCXO1NRvpHeaeV56
> BkYpPjAITHYiJvU2tBWZue41M6Ek2GHX8rDfSKsv8323+0Wr6g5BP2XAp1Ix36Sv
> t0dFayrU7sEb6nkzSrebMi0kUHHP7LECS3KmncnsDRAzn9EFo06UTwoKSo0S4gg=
> =37hR
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn 
> about Cisco certifications, training, and career opportunities. 
> http://p.sf.net/sfu/cisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!