Snort mailing list archives
Having trouble firing certain rules
From: Robert Parker <robertmparker () gmail com>
Date: Mon, 24 Sep 2012 09:34:32 -0700
So I just installed snort yesterday, and I'm having trouble getting it to fully work. It will fire one of my rules, but not the other ones. I'm not sure what the problem is, I verified that snort was receiving all the packets, and the rules look fine. Setup: Two Ubuntu 12.04 VMs running in VirtualBox, and configured over a local network. The box with snort is 192.168.1.3, and the other one is 192.168.1.2. Command used to run snort: sudo snort -u snort -c /etc/snort/snort.conf -i eth1 -v --alert-before-pass My rules: alert tcp any any -> any any (pcre:"/\d{3}-\d{2}-\d{4}/"; msg:"SSN Traffic"; sid:7000003;) alert tcp any any -> any any (content:"helloworld"; msg:"Hello World in TCP"; sid:7000002;) alert ip any any -> 192.168.1.3 any (msg:"Traffic to this computer"; sid:7000005;) alert ip any any -> 192.168.1.2 any (msg:"Traffic to other computer"; sid:7000006;) Please only look at the last two rules for the moment. Whenever there are packets sent back and forth between the two computers, both rules should be fired. I am using wget to make an HTTP request from the 192.168.1.2 computer to try and trigger the rule. So the expected result is that the last two rules should both cause alerts, but I am only seeing alert messages for "Traffic to this computer". Snort is being run in verbose mode, and it is printing out the packets it is receiving. Snort is printing out traffic going both ways, so it doesn't seem to be a data acquisition problem. Installation method: http://openmaniak.com/snort_tutorial_snort.php I followed this guide using the apt-get method, so my version is probably not the latest robert@ubuntu1:~$ snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.2 IPv6 GRE (Build 78) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 Any help you can give would be greatly appreciated. I dreamed about snort last night! Robert Parker RobertMParker () gmail com, rparker () gatech edu ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Having trouble firing certain rules Robert Parker (Sep 24)