Snort mailing list archives
Re: Rules not hit on 2.9.1.1 sensor
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 20 Oct 2011 13:21:05 -0400
I don't know what the ET rules look like, however, it's possible that the rules aren't looking in the right buffers, or are incorrectly written for the buffers they are trying to address. Much has changed in between 2.8.6 and 2.9.1.1. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 20, 2011, at 12:49 PM, Peter Bates wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all Apologies, I was being a bit stupid. snort -c /etc/snort/pcap.conf -r spyeye.pcap -A console -q -O 10/20-17:32:16.442956 [**] [1:2012686:1] ET TROJAN SpyEye Checkin version 1.3.25 or later [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62074 -> xxx.xxx.xxx.xxx:8080 10/20-17:34:48.278042 [**] [1:2012686:1] ET TROJAN SpyEye Checkin version 1.3.25 or later [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62088 -> xxx.xxx.xxx.xxx:8080 10/20-17:37:20.332410 [**] [1:2012686:1] ET TROJAN SpyEye Checkin version 1.3.25 or later [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62113 -> xxx.xxx.xxx.xxx:8080 So yes, my 2.9.1.1 sensor alerts from a pcap but not from the same traffic being received via afpacket/DAQ. However the simple GET rule: alert tcp any any -> any any (content:"GET /job/evil.exe "; content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;) is still firing when I test it. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOoFEGAAoJELhVoVpEMS6R4+AIAMAXkavAFgDo8Xpp8j8hY5cy UtksDL81Kb089A7gNJ8C/z46c7aVzSw+khEosErIyuaNNi+j1xR0fjQlxKcOfGkG 3b3KBtwIUq8an19tmRjqjY7c26dgbI3OuOWJN+MryMsqWmb184P4m2hoMSpCJJYW RrTbXI5VD9M/fWlkh1G8jGDsh+OzAIotjZL+zZIDtiAsW3HHKCXO1NRvpHeaeV56 BkYpPjAITHYiJvU2tBWZue41M6Ek2GHX8rDfSKsv8323+0Wr6g5BP2XAp1Ix36Sv t0dFayrU7sEb6nkzSrebMi0kUHHP7LECS3KmncnsDRAzn9EFo06UTwoKSo0S4gg= =37hR -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)