Snort mailing list archives
Re: Snort not generating alert
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 30 Nov 2015 12:38:36 +0000
Great! You may still want to change the rule to use one of the http rule keywords so that ONLY the http header is searched for the status code/http response. Either way the choice is yours. Cheers! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Qasim Javed [mailto:qasim.javed () ebryx com] Sent: Monday, November 30, 2015 3:08 AM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net; Fahim Abbasi Subject: Re: [Snort-users] Snort not generating alert Hi, I read your snort configuration file and made a little change from config paf_max: 16000 to config paf_max: 63780 in snort.conf and my rule started to work.I think, there is no need to change anything other than that. Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan [http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000] On 30 November 2015 at 11:28, Qasim Javed <qasim.javed () ebryx com<mailto:qasim.javed () ebryx com>> wrote: Thanks for your support.You made my day,it worked! Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan [http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000] On 30 November 2015 at 02:44, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: Hello, Attached are the conf, pcap and log. I chose to use the http_stat_code with a value of ‘200’ in your rule since you were looking for the server response I code. alert tcp any any -> any any (sid:100015; rev:1; msg:"both contents found"; flow:to_client,established;content:"200"; http_stat_code; content:"prevDays=new Arr"; nocase;) Command I used: ./bin/snort -c etc/JAVED.conf -r etc/JAVED.pcap -Acmg -H -U -k none -q 06/16-18:20:10.416489 [**] [1:100015:1] both contents found [**] [Priority: 0] {TCP} 63.116.243.97:80<http://63.116.243.97:80> -> 192.168.1.3:58816<http://192.168.1.3:58816> Stream reassembled packet 06/16-18:20:10.416489 00:26:62:2F:47:87 -> 00:1D:60:B3:01:84 type:0x800 len:0x5F88 63.116.243.97:80<http://63.116.243.97:80> -> 192.168.1.3:58816<http://192.168.1.3:58816> TCP TTL:64 TOS:0x0 ID:43234 IpLen:20 DgmLen:24442 DF ***A**** Seq: 0xA3C480A0 Ack: 0xE5943F77 Win: 0xAA00 TcpLen: 32 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: 20 32 33 38 35 38 0D 0A 43 6F 6E 74 65 6E 74 2D 23858..Content- 54 79 70 65 3A 20 74 65 78 74 2F 6A 61 76 61 73 Type: text/javas 63 72 69 70 74 0D 0A 4C 61 73 74 2D 4D 6F 64 69 cript..Last-Modi 66 69 65 64 3A 20 57 65 64 2C 20 31 36 20 4A 75 fied: Wed, 16 Ju 6E 20 32 30 31 30 20 31 37 3A 32 35 3A 31 34 20 n 2010 17:25:14 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67 GMT..Accept-Rang 65 73 3A 20 62 79 74 65 73 0D 0A 45 54 61 67 3A es: bytes..ETag: 20 22 30 37 39 37 35 65 31 37 38 64 63 62 31 3A "07975e178dcb1: 35 33 33 33 22 0D 0A 53 65 72 76 65 72 3A 20 4D 5333"..Server: M 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 36 2E 30 icrosoft-IIS/6.0 See here in the manual about the http_stat_code keyword: http://manual.snort.org/node32.html#SECTION004519000000000000000 You should also be able to use the ‘http_header’ option as YM mentions below. Hope this helps! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112<tel:443.430.7112> Email: allewi () cisco com<mailto:allewi () cisco com> From: Y M [mailto:snort () outlook com<mailto:snort () outlook com>] Sent: Saturday, November 28, 2015 7:44 AM To: Qasim Javed Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort not generating alert I have looked at your files, but you may want to consider "flow" and "http_header" keywords in the rule posted. Try these and see if they help. Sent from Mobile _____________________________ From: Qasim Javed <qasim.javed () ebryx com<mailto:qasim.javed () ebryx com>> Sent: Friday, November 27, 2015 10:32 AM Subject: [Snort-users] Snort not generating alert To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Hi, I am using ubuntu 14.04 LTS and have some problems while detecting some strings in payload of pcap. Actually the problem is that when i hit the pcap with snort rules file named r1.rules then no alerts are generated.Assuming that pcap,rules file are in same directory and snort.config is in /etc/snort/snort.conf and i have enabled TCP reassembly. * Command1 executed : sudo snort -c /etc/snort/snort.conf -A console -q -l /tmp -r "TCP_SACK.pcap" -k none * Rule which should trigger: alert tcp any any -> any any (sid:100014; rev:1; msg:"both contents found"; content:"HTTP/1.1 200 OK"; nocase; content:"prevDays=new Arr"; nocase;) * Output1 : no alert generated * Command2 executed : sudo snort -c /etc/snort/snort.conf -A cmg -q -l /tmp -r "TCP_SACK.pcap" -k none * Output2 : This command generates http-response stream and it has both contents which are in rule to be matched and it should generate alert but snort is not generating alert while both contents are present in output stream generated using switch -A cmg instead of -A console. I have attached response file named "r1_response.txt"(i.e. output generated while executing command2) , snort.conf, r1.rules, TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and let me know the solution. Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan [http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000]
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort not generating alert Qasim Javed (Nov 26)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Y M (Nov 28)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 29)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Al Lewis (allewi) (Nov 30)
- Re: Snort not generating alert Qasim Javed (Nov 30)
- Re: Snort not generating alert Y M (Nov 28)