Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question for snort flow established

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 18 Mar 2013 09:51:24 -0500
On 3/17/2013 23:25, zhaojunling_20 wrote:

Dear Rmkml,

Thanks for your comment command line with " -k none" added. And then it is
totally working. So let us close the topic.
Thanks again all of you for your help.
###########
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf-k none


ignore my previous if "-k none" is working for you...


[@ALL] why is this "-k none" suddenly needed more and more in recent months?? 
we've never used it in any of our snort installations... is it special to a 
certain set of NICs?? [/@ALL]




Junling Zhao

At 2013-03-18 11:51:05,zhaojunling_20 <zhaojunling_2000 () 163 com> wrote:

    Dear All,

    Do anyone help me with this topic. :(


    At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 () 163 com
    <mailto:zhaojunling_2000 () 163 com>> wrote:

        Dear All,

        By the way if I comment keyword "_established"_, the rule workes. And I
        attached snort.conf and output when I running
        snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>.
        version of snort is snort Version 2.9.4.1 GRE

        #########
        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango
        adware installation request"; content:"Zango/Setup.exe";flow:
        to_server_,established_;
        reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
        classtype:policy-violation; sid:10000019; rev:3;)



        At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 () 163 com
        <mailto:zhaojunling_2000 () 163 com>> wrote:

            Dear friends,

            FYI
            # List of web servers on your network
            ipvar HTTP_SERVERS 10.2.11.2/24

            # List of ports you run web servers on
            portvar HTTP_PORTS
            
[80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]


            At  2013-03-17  04:00:21,"waldo  kitty"  <wkitty42 () windstream net  <mailto:wkitty42 () windstream 
net>>  wrote:
            >On  3/16/2013  10:10,  zhaojunling_20  wrote:
            >>  Dear  All,
            >>
            >>  I  have  a  little  question,  if  I  installed  snort  on  my  web  server<ipaddress
            >>  10.2.11.2>  which  has  only  one  ethernet  interface  and  snort  inspect  the
            >>  interface,  does  "flow  with  option  established"  work  or  not?
            >
            >yes...  it  has  to  as  several  tens  of  thousands  of  rules  use  it  ;)
            >
            >>  I  have  tested  the  below  rule  with
            >>  ----http://10.2.11.2/test.php?user=Zango/Setup.exe,  no  alert  arised.
            >>  alert  tcp  any  any  ->  $HTTP_SERVERS  $HTTP_PORTS  (msg:"WEB-CLIENT  Zango  adware
            >
            >what  does  your  $HTTP_SERVERS  and  $HTTP_PORTS  vars  contain  from  your  snort.conf??
            >
            >>  installation  request";  content:"Zango/Setup.exe";flow:  to_server,established;
            >>  reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
            >>  classtype:policy-violation;  sid:10000019;  rev:3;)
            >>  appreciate  your  help~




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: