Snort mailing list archives

Re: question for snort flow established

From: JJ Cummings <cummingsj () gmail com>
Date: Mon, 18 Mar 2013 09:04:14 -0600

Checksum offloading

Sent from the iRoad

On Mar 18, 2013, at 8:51, waldo kitty <wkitty42 () windstream net> wrote:

On 3/17/2013 23:25, zhaojunling_20 wrote:

Dear Rmkml,

Thanks for your comment command line with " -k none" added. And then it is
totally working. So let us close the topic.
Thanks again all of you for your help.
###########
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf-k none


ignore my previous if "-k none" is working for you...


[@ALL] why is this "-k none" suddenly needed more and more in recent months?? 
we've never used it in any of our snort installations... is it special to a 
certain set of NICs?? [/@ALL]

Junling Zhao

At 2013-03-18 11:51:05,zhaojunling_20 <zhaojunling_2000 () 163 com> wrote:

   Dear All,

   Do anyone help me with this topic. :(


   At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 () 163 com
   <mailto:zhaojunling_2000 () 163 com>> wrote:

       Dear All,

       By the way if I comment keyword "_established"_, the rule workes. And I
       attached snort.conf and output when I running
       snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>.
       version of snort is snort Version 2.9.4.1 GRE

       #########
       alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango
       adware installation request"; content:"Zango/Setup.exe";flow:
       to_server_,established_;
       reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
       classtype:policy-violation; sid:10000019; rev:3;)



       At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 () 163 com
       <mailto:zhaojunling_2000 () 163 com>> wrote:

           Dear friends,

           FYI
           # List of web servers on your network
           ipvar HTTP_SERVERS 10.2.11.2/24

           # List of ports you run web servers on
           portvar HTTP_PORTS
           
[80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]


           At  2013-03-17  04:00:21,"waldo  kitty"  <wkitty42 () windstream net  <mailto:wkitty42 () windstream 
net>>  wrote:

On  3/16/2013  10:10,  zhaojunling_20  wrote:

Dear  All,

I  have  a  little  question,  if  I  installed  snort  on  my  web  server<ipaddress
10.2.11.2>  which  has  only  one  ethernet  interface  and  snort  inspect  the
interface,  does  "flow  with  option  established"  work  or  not?


yes...  it  has  to  as  several  tens  of  thousands  of  rules  use  it  ;)

I  have  tested  the  below  rule  with
----http://10.2.11.2/test.php?user=Zango/Setup.exe,  no  alert  arised.
alert  tcp  any  any  ->  $HTTP_SERVERS  $HTTP_PORTS  (msg:"WEB-CLIENT  Zango  adware


what  does  your  $HTTP_SERVERS  and  $HTTP_PORTS  vars  contain  from  your  snort.conf??

installation  request";  content:"Zango/Setup.exe";flow:  to_server,established;
reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
classtype:policy-violation;  sid:10000019;  rev:3;)
appreciate  your  help~




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

question for snort flow established zhaojunling_20 (Mar 16)
- Re: question for snort flow established waldo kitty (Mar 16)
  - Re: question for snort flow established zhaojunling_20 (Mar 16)
    - Re: question for snort flow established zhaojunling_20 (Mar 16)
    - Re: question for snort flow established zhaojunling_20 (Mar 17)
    - Re: question for snort flow established zhaojunling_20 (Mar 17)
    - Re: question for snort flow established waldo kitty (Mar 18)
    - Re: question for snort flow established JJ Cummings (Mar 18)
    - Re: question for snort flow established waldo kitty (Mar 18)
    - Re: question for snort flow established Joel Esler (Mar 18)
    - Re: question for snort flow established waldo kitty (Mar 18)
    - Re: question for snort flow established Jason (Mar 18)
    - Re: question for snort flow established Joel Esler (Mar 18)
    - Re: question for snort flow established waldo kitty (Mar 18)