Snort mailing list archives
Re: Rule is triggering when read from pcap but not during live capture
From: "Bryant, Alex B. (CDC/OCOO/OCIO)" <ize1 () cdc gov>
Date: Tue, 3 Nov 2015 17:58:15 +0000
James, I found that suggestion just a few minutes ago from someone else having this problem in 2010. Just restarted Snort like this: /usr/sbin/snort -A fast -b -N -D -I -i eth1 -u snort -g snort -c /etc/snort/snort.conf -y -k none -l /var/log/snort ...unfortunately, it didn't help :-( Thanks --Alex -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Tuesday, November 03, 2015 12:47 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule is triggering when read from pcap but not during live capture On 2015-11-03 10:14 AM, Bryant, Alex B. (CDC/OCOO/OCIO) wrote:
I implemented the following rule: alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx [1]; classtype:policy-violation; sid:30281; rev:1;) ...but in testing, the corresponding traffic only generates an alert when read into Snort in a .pcap - not in production / live capture. I captured the pcap on the sensor itself, using the Snort capture interfact (verified several times that I'm using the right interface), and when I ran the pcap through Snort, it triggered the alert. Any ideas as to why a live capture does not trigger this alert, but reading in a pcap of the exact same traffic would? Thanks! --Alex
When in doubt, nuke checksums with "-k none". James ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule is triggering when read from pcap but not during live capture Bryant, Alex B. (CDC/OCOO/OCIO) (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture James Lay (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture Bryant, Alex B. (CDC/OCOO/OCIO) (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture James Lay (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture Bryant, Alex B. (CDC/OCOO/OCIO) (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture James Lay (Nov 03)