Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Having trouble firing certain rules

From: Robert Parker <robertmparker () gmail com>
Date: Mon, 24 Sep 2012 09:34:32 -0700
So I just installed snort yesterday, and I'm having trouble getting it
to fully work.  It will fire one of my rules, but not the other ones.
I'm not sure what the problem is, I verified that snort was receiving
all the packets, and the rules look fine.

Setup:
Two Ubuntu 12.04 VMs running in VirtualBox, and configured over a
local network.  The box with snort is 192.168.1.3, and the other one
is 192.168.1.2.

Command used to run snort:
sudo snort -u snort -c /etc/snort/snort.conf -i eth1 -v --alert-before-pass

My rules:
alert tcp any any -> any any (pcre:"/\d{3}-\d{2}-\d{4}/"; msg:"SSN
Traffic"; sid:7000003;)
alert tcp any any -> any any (content:"helloworld"; msg:"Hello World
in TCP"; sid:7000002;)
alert ip any any -> 192.168.1.3 any (msg:"Traffic to this computer";
sid:7000005;)
alert ip any any -> 192.168.1.2 any (msg:"Traffic to other computer";
sid:7000006;)

Please only look at the last two rules for the moment.  Whenever there
are packets sent back and forth between the two computers, both rules
should be fired.  I am using wget to make an HTTP request from the
192.168.1.2 computer to try and trigger the rule.

So the expected result is that the last two rules should both cause
alerts, but I am only seeing alert messages for "Traffic to this
computer".  Snort is being run in verbose mode, and it is printing out
the packets it is receiving.  Snort is printing out traffic going both
ways, so it doesn't seem to be a data acquisition problem.

Installation method:
http://openmaniak.com/snort_tutorial_snort.php
I followed this guide using the apt-get method, so my version is
probably not the latest

robert@ubuntu1:~$ snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4


Any help you can give would be greatly appreciated.  I dreamed about
snort last night!

Robert Parker
RobertMParker () gmail com, rparker () gatech edu

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: