Snort mailing list archives

Snort not generating alert

From: Qasim Javed <qasim.javed () ebryx com>
Date: Fri, 27 Nov 2015 12:31:11 +0500

*Hi,*
     I am using *ubuntu 14.04 LTS* and have some problems while detecting
some strings in payload of *pcap*. Actually the problem is that when i hit
the pcap with snort rules file named *r1.rules* then *no alerts are
generated*.Assuming that pcap,rules file are in same directory and
*snort.config* is in */etc/snort/snort.conf *and i have enabled *TCP
reassembly. *

   - *Command1 executed :*    *sudo snort -c /etc/snort/snort.conf -A
   console -q -l /tmp -r "TCP_SACK.pcap" -k none *
   - *Rule which should trigger:*  *alert tcp any any -> any any
   (sid:100014; rev:1; msg:"both contents found"; content:"HTTP/1.1 200 OK";
   nocase;  content:"prevDays=new Arr";    nocase;)*
   - *Output1* :  *no alert generated*



   -  *Command2 executed *:   *sudo snort -c /etc/snort/snort.conf -A cmg
   -q -l /tmp -r "TCP_SACK.pcap" -k none *
   - *Output2 : *This command generates *http-response* *stream* and it has*
   both contents* which are in rule to be matched and it should generate
   alert but snort is *not generating alert *while both contents are
   present in output stream generated using switch  *-A cmg *instead of
*-A console. *


*         I have attached response file named "r1_response.txt"(i.e. output
generated while executing command2) , snort.conf, r1.rules,*

*        TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and let
me know the solution.*




Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan

Attachment: r1_response.txt
Description:

Attachment: r1.rules
Description:

Attachment: snort.conf
Description:

Attachment: TCP_SACK.pcap
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort not generating alert Qasim Javed (Nov 26)
- Re: Snort not generating alert Y M (Nov 28)
  - Re: Snort not generating alert Y M (Nov 28)
  - Re: Snort not generating alert Al Lewis (allewi) (Nov 29)
    - Re: Snort not generating alert Qasim Javed (Nov 29)
    - Re: Snort not generating alert Qasim Javed (Nov 30)
    - Re: Snort not generating alert Al Lewis (allewi) (Nov 30)
    - Re: Snort not generating alert Qasim Javed (Nov 30)