Snort mailing list archives
Re: Rule is triggering when read from pcap but not during live capture
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 03 Nov 2015 11:31:49 -0700
On 2015-11-03 10:58 AM, Bryant, Alex B. (CDC/OCOO/OCIO) wrote:
James, I found that suggestion just a few minutes ago from someone else having this problem in 2010. Just restarted Snort like this: /usr/sbin/snort -A fast -b -N -D -I -i eth1 -u snort -g snort -c /etc/snort/snort.conf -y -k none -l /var/log/snort ...unfortunately, it didn't help :-( Thanks --Alex -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Tuesday, November 03, 2015 12:47 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule is triggering when read from pcap but not during live capture On 2015-11-03 10:14 AM, Bryant, Alex B. (CDC/OCOO/OCIO) wrote:I implemented the following rule: alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx [1]; classtype:policy-violation; sid:30281; rev:1;) ...but in testing, the corresponding traffic only generates an alert when read into Snort in a .pcap - not in production / live capture. I captured the pcap on the sensor itself, using the Snort capture interfact (verified several times that I'm using the right interface), and when I ran the pcap through Snort, it triggered the alert. Any ideas as to why a live capture does not trigger this alert, but reading in a pcap of the exact same traffic would? Thanks! --AlexWhen in doubt, nuke checksums with "-k none". James
Wow that is a boat-ton of startup options :D At this point in time, if it was me, I would start this as root and have it log to console to see what's going on like: sudo /usr/sbin/snort -A console -i eth1 -c /etc/snort/snort.conf -k none James ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule is triggering when read from pcap but not during live capture Bryant, Alex B. (CDC/OCOO/OCIO) (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture James Lay (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture Bryant, Alex B. (CDC/OCOO/OCIO) (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture James Lay (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture Bryant, Alex B. (CDC/OCOO/OCIO) (Nov 03)
- Re: Rule is triggering when read from pcap but not during live capture James Lay (Nov 03)