Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port problems in a rule

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 17 Oct 2014 16:10:01 -0400
On 10/17/2014 2:58 PM, Kurzawa, Kevin wrote:

The port variable doesn’t seem to like me. I recently started playing with rules
and found an unexpected problem. Wondering what I’m doing wrong.


how are you attempting to trigger these rules?


# works

alert tcp any any -> any any (msg: "LOCAL-RULE Test for TestMyIDS.com"; content:
"testmyids.com"; classtype:misc-activity; sid:1000001; rev:1;)


do you have a pcap for this? i suspect that you are seeing this trigger on 
something other than http traffic which your other two rules appear to be 
looking for... maybe DNS traffic here when the browser looks up the domain to 
find out which IP to connect to...


# doesn't work

#alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content:
"testmyids.com"; classtype:misc-activity; sid:1000001; rev:2;)

# doesn't work

#alert tcp any any -> any $HTTP_PORTS (msg: "LOCAL-RULE Test for TestMyIDS.com";
content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:3;)


aside from that, you should perhaps capture the traffic to a pcap with wireshark 
or tcpdump... that way you can more easily see what ports are being used and 
what the contents of the traffic actually are... it is possible that your 
content string doesn't appear in the traffic at all...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: