Snort mailing list archives
RE : snort honeytoken config
From: rmkml <rmkml () ligfy org>
Date: Wed, 04 May 2016 07:58:10 +0200
Hi Samuel, Please try with cksum disabled (-k none). Regards@Rmkml -------- Message d'origine -------- De : Samuel Kidman <skidman () netwealth com au> Date : 04/05/2016 07:23 (GMT+01:00) À : snort-users () lists sourceforge net Objet : [Snort-users] snort honeytoken config Hello I am trying to use snort to check for certain strings leaving an MSSQL database. The idea is if these are leaving the database then someone is doing queries they shouldn’t be. I have created a simple content rule: alert tcp any 1433 -> any any (content: "HONEYTOKEN"; msg: "test honeytoken rule"; sid:1000001;) If I query the database and run a packet capture on the snort machine, then feed the packet capture into snort (using the -r switch) the rule works as expected. However, if I run snort in IDS mode (using -i switch) then the rule isn’t triggered. Does anyone know what could be happening? Regards, Sam
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- RE : snort honeytoken config rmkml (May 03)
- Re: RE : snort honeytoken config Samuel Kidman (May 04)
- Re: RE : snort honeytoken config Al Lewis (allewi) (May 04)
- Re: RE : snort honeytoken config Samuel Kidman (May 04)