Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort not generating alert

From: Qasim Javed <qasim.javed () ebryx com>
Date: Mon, 30 Nov 2015 13:07:51 +0500
Hi,
     I read your snort configuration file and made a little change from *config
paf_max: 16000*  to *config paf_max: 63780 *in snort.conf and my rule
started to work.I think, there is no need to change anything other than
that.





Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan



On 30 November 2015 at 11:28, Qasim Javed <qasim.javed () ebryx com> wrote:


Thanks for your support.You made my day,it worked!




Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan



On 30 November 2015 at 02:44, Al Lewis (allewi) <allewi () cisco com> wrote:


Hello,



Attached are the conf, pcap and log. I chose to use the http_stat_code
with a value of ‘200’ in your rule since you were looking for the server
response I code.



alert tcp any any -> any any (sid:100015; rev:1; msg:"both contents
found"; flow:to_client,established;content:"200"; http_stat_code;
content:"prevDays=new Arr"; nocase;)





Command I used:

./bin/snort -c etc/JAVED.conf -r etc/JAVED.pcap -Acmg -H -U -k none -q







06/16-18:20:10.416489  [**] [1:100015:1] both contents found [**]
[Priority: 0] {TCP} 63.116.243.97:80 -> 192.168.1.3:58816

Stream reassembled packet

06/16-18:20:10.416489 00:26:62:2F:47:87 -> 00:1D:60:B3:01:84 type:0x800
len:0x5F88

63.116.243.97:80 -> 192.168.1.3:58816 TCP TTL:64 TOS:0x0 ID:43234
IpLen:20 DgmLen:24442 DF

***A**** Seq: 0xA3C480A0  Ack: 0xE5943F77  Win: 0xAA00  TcpLen: 32

48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.

0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A  .Content-Length:

20 32 33 38 35 38 0D 0A 43 6F 6E 74 65 6E 74 2D   23858..Content-

54 79 70 65 3A 20 74 65 78 74 2F 6A 61 76 61 73  Type: text/javas

63 72 69 70 74 0D 0A 4C 61 73 74 2D 4D 6F 64 69  cript..Last-Modi

66 69 65 64 3A 20 57 65 64 2C 20 31 36 20 4A 75  fied: Wed, 16 Ju

6E 20 32 30 31 30 20 31 37 3A 32 35 3A 31 34 20  n 2010 17:25:14

47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67  GMT..Accept-Rang

65 73 3A 20 62 79 74 65 73 0D 0A 45 54 61 67 3A  es: bytes..ETag:

20 22 30 37 39 37 35 65 31 37 38 64 63 62 31 3A   "07975e178dcb1:

35 33 33 33 22 0D 0A 53 65 72 76 65 72 3A 20 4D  5333"..Server: M

69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 36 2E 30  icrosoft-IIS/6.0





See here in the manual about the http_stat_code keyword:
http://manual.snort.org/node32.html#SECTION004519000000000000000







You should also be able to use the ‘http_header’ option as YM mentions
below.







Hope this helps!





Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Y M [mailto:snort () outlook com]
*Sent:* Saturday, November 28, 2015 7:44 AM
*To:* Qasim Javed
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Snort not generating alert



I have looked at your files, but you may want to consider "flow" and
"http_header" keywords in the rule posted. Try these and see if they help.

Sent from Mobile



_____________________________
From: Qasim Javed <qasim.javed () ebryx com>
Sent: Friday, November 27, 2015 10:32 AM
Subject: [Snort-users] Snort not generating alert
To: <snort-users () lists sourceforge net>



*Hi,*

     I am using *ubuntu 14.04 LTS* and have some problems while
detecting some strings in payload of *pcap*. Actually the problem is
that when i hit the pcap with snort rules file named *r1.rules* then *no
alerts are generated*.Assuming that pcap,rules file are in same
directory and *snort.config* is in */etc/snort/snort.conf *and i have
enabled * TCP reassembly. *

   - *Command1 executed :*    *sudo snort -c /etc/snort/snort.conf -A
   console -q -l /tmp -r "TCP_SACK.pcap" -k none *
   - *Rule which should trigger:*  *alert tcp any any -> any any
   (sid:100014; rev:1; msg:"both contents found"; content:"HTTP/1.1 200 OK";
   nocase;  content:"prevDays=new Arr";    nocase;)*
   - *Output1* :  *no alert generated*



   -  *Command2 executed *:   * sudo snort -c /etc/snort/snort.conf -A
   cmg -q -l /tmp -r "TCP_SACK.pcap" -k none *
   - *Output2 : *This command generates *http-response* *stream* and it
   has* both contents* which are in rule to be matched and it should
   generate alert but snort is *not generating alert *while both
   contents are present in output stream generated using switch  *-A cmg
   *instead of *-A console. *

      *   I have attached response file named "r1_response.txt"(i.e.
output generated while executing command2) , snort.conf, r1.rules,*

*        TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and
let me know the solution.*





Best Regards,



Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan







------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: