Snort mailing list archives

Re: Rules not hit on 2.9.1.1 sensor

From: Peter Bates <peter.bates () ucl ac uk>
Date: Fri, 21 Oct 2011 12:51:04 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello again all...

I tried to pinpoint my problem by performing packet captures
on my 2.9.1.1 sensor and my 2.8.6 sensor.

The 2.9.1.1 sensor would consistently alert from captures made on the
older system:

snort -c /etc/snort/pcap.conf -r spyeye.pcap -A console -q -O

10/20-17:32:16.442956  [**] [1:2012686:1] ET TROJAN SpyEye Checkin
version 1.3.25 or later [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62074 ->
xxx.xxx.xxx.xxx:8080

But detected nothing in the capture on the newer system.

I've now swapped the systems around so the 2.9.1.1 system is 'behind'
the firewall and it is seeing everything I'm expecting - so there's
clearly an oddity with my SPAN sport that is in front of my firewall.

I've got pcaps from both sides but haven't gone as far as looking at
the difference between the two but clearly post-firewall some of the
packets are being lost.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOoVyoAAoJELhVoVpEMS6RsNUH/Ru5DSoA8rUmHtQJKccn3XA6
Gd3G3GslphvdvgbdkjiE31tmtJmhFZpXR1kegqf8w7RvY1XGiKmGpb8KCMu6BIbK
bKHPRElSBg1aAIHL68it5darZlg0LHLNmZqUKyCSWh8kmUrCmdMFTnd7RkOdKG0p
qM3HesHroKVPuYt/KduTqxBzcU/z4pmJotjGPoqla67ESwkm+lbIcSOFK4r0uaE5
2OjyBC6ssk9T6nJrT4HNb+3bLB1YMtTyQudoZ2+R6qc1AFDI/BpgrYWTz+Xub+gX
MshvfE6QQ/0wRwQrQjsg8IVbobVhASNvf4iU8VymZDSrirXVUnc6xsrPc51R3l4=
=mqzY
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
  - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)