Snort mailing list archives
Re: Snort not generating alert
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sun, 29 Nov 2015 21:44:15 +0000
Hello, Attached are the conf, pcap and log. I chose to use the http_stat_code with a value of '200' in your rule since you were looking for the server response I code. alert tcp any any -> any any (sid:100015; rev:1; msg:"both contents found"; flow:to_client,established;content:"200"; http_stat_code; content:"prevDays=new Arr"; nocase;) Command I used: ./bin/snort -c etc/JAVED.conf -r etc/JAVED.pcap -Acmg -H -U -k none -q 06/16-18:20:10.416489 [**] [1:100015:1] both contents found [**] [Priority: 0] {TCP} 63.116.243.97:80 -> 192.168.1.3:58816 Stream reassembled packet 06/16-18:20:10.416489 00:26:62:2F:47:87 -> 00:1D:60:B3:01:84 type:0x800 len:0x5F88 63.116.243.97:80 -> 192.168.1.3:58816 TCP TTL:64 TOS:0x0 ID:43234 IpLen:20 DgmLen:24442 DF ***A**** Seq: 0xA3C480A0 Ack: 0xE5943F77 Win: 0xAA00 TcpLen: 32 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: 20 32 33 38 35 38 0D 0A 43 6F 6E 74 65 6E 74 2D 23858..Content- 54 79 70 65 3A 20 74 65 78 74 2F 6A 61 76 61 73 Type: text/javas 63 72 69 70 74 0D 0A 4C 61 73 74 2D 4D 6F 64 69 cript..Last-Modi 66 69 65 64 3A 20 57 65 64 2C 20 31 36 20 4A 75 fied: Wed, 16 Ju 6E 20 32 30 31 30 20 31 37 3A 32 35 3A 31 34 20 n 2010 17:25:14 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67 GMT..Accept-Rang 65 73 3A 20 62 79 74 65 73 0D 0A 45 54 61 67 3A es: bytes..ETag: 20 22 30 37 39 37 35 65 31 37 38 64 63 62 31 3A "07975e178dcb1: 35 33 33 33 22 0D 0A 53 65 72 76 65 72 3A 20 4D 5333"..Server: M 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 36 2E 30 icrosoft-IIS/6.0 See here in the manual about the http_stat_code keyword: http://manual.snort.org/node32.html#SECTION004519000000000000000 You should also be able to use the 'http_header' option as YM mentions below. Hope this helps! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Y M [mailto:snort () outlook com] Sent: Saturday, November 28, 2015 7:44 AM To: Qasim Javed Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort not generating alert I have looked at your files, but you may want to consider "flow" and "http_header" keywords in the rule posted. Try these and see if they help. Sent from Mobile _____________________________ From: Qasim Javed <qasim.javed () ebryx com<mailto:qasim.javed () ebryx com>> Sent: Friday, November 27, 2015 10:32 AM Subject: [Snort-users] Snort not generating alert To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Hi, I am using ubuntu 14.04 LTS and have some problems while detecting some strings in payload of pcap. Actually the problem is that when i hit the pcap with snort rules file named r1.rules then no alerts are generated.Assuming that pcap,rules file are in same directory and snort.config is in /etc/snort/snort.conf and i have enabled TCP reassembly. * Command1 executed : sudo snort -c /etc/snort/snort.conf -A console -q -l /tmp -r "TCP_SACK.pcap" -k none * Rule which should trigger: alert tcp any any -> any any (sid:100014; rev:1; msg:"both contents found"; content:"HTTP/1.1 200 OK"; nocase; content:"prevDays=new Arr"; nocase;) * Output1 : no alert generated * Command2 executed : sudo snort -c /etc/snort/snort.conf -A cmg -q -l /tmp -r "TCP_SACK.pcap" -k none * Output2 : This command generates http-response stream and it has both contents which are in rule to be matched and it should generate alert but snort is not generating alert while both contents are present in output stream generated using switch -A cmg instead of -A console. I have attached response file named "r1_response.txt"(i.e. output generated while executing command2) , snort.conf, r1.rules, TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and let me know the solution. Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road<x-apple-data-detectors://4> Lahore, Pakistan [http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000]
Attachment:
JAVED.pcap
Description: JAVED.pcap
Attachment:
JAVED.conf
Description: JAVED.conf
Attachment:
log1.txt
Description: log1.txt
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort not generating alert Qasim Javed (Nov 26)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 30)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Y M (Nov 28)