Re: question for snort flow established

[zhaojunling_20 <zhaojunling_2000 () 163 com>]

Dear Rmkml,

Thanks for your comment command line with  " -k none" added. And then it is totally working. So let us close the topic.
Thanks again all of you for your help.
###########
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -k none

Junling Zhao


At 2013-03-18 11:51:05,zhaojunling_20 <zhaojunling_2000 () 163 com> wrote:

Dear All,

Do anyone help me with this topic. :(



At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 () 163 com> wrote:

Dear All,


By the way if I comment keyword "established", the rule workes. And I attached snort.conf and output when I running 
snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>. version of snort is snort Version 2.9.4.1 GRE


#########
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware installation request"; 
content:"Zango/Setup.exe";flow: to_server,established; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; 
classtype:policy-violation; sid:10000019; rev:3;)




At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 () 163 com> wrote:

Dear friends,


FYI
# List of web servers on your network
ipvar HTTP_SERVERS 10.2.11.2/24


# List of ports you run web servers on
portvar HTTP_PORTS 
[80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]



At 2013-03-17 04:00:21,"waldo kitty" <wkitty42 () windstream net> wrote:
> On 3/16/2013 10:10, zhaojunling_20 wrote:
> > Dear All,
> >
> > I have a little question, if I installed snort on my web server<ipaddress
> > 10.2.11.2> which has only one ethernet interface and snort inspect the
> > interface, does "flow with option established" work or not?
>
> yes... it has to as several tens of thousands of rules use it ;)
>
> > I have tested the below rule with
> > ----http://10.2.11.2/test.php?user=Zango/Setup.exe, no alert arised.
> > alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
>
> what does your $HTTP_SERVERS and $HTTP_PORTS vars contain from your snort.conf??
>
> > installation request"; content:"Zango/Setup.exe";flow: to_server,established;
> > reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
> > classtype:policy-violation; sid:10000019; rev:3;)
> > appreciate your help~
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!









------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!