Re: gzip decompress search fails.

["Joel Esler (jesler)" <jesler () cisco com>]

2.9.6.0 has been EOL for a few years.

Please download Snort and compile from scratch.

Install guides are available on the Documents page on Snort.org<http://snort.org>.

Sent from my iPhone

On Aug 8, 2016, at 12:41 PM, fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail com>> 
wrote:

Hi Joel,

I am running snort on : Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
And I installed snort using debian packages i.e by 'apt-get install snort'. The version of snort that got installed is 
Version 2.9.6.0 GRE (Build 47)
I am attaching the snort.conf file that I currently have.

I tried a simple content rule and it worked fine, but when I tried rule with "file_data" as ab attribute then it never 
gets triggered (I generated the relevant traffic that should trigger that rule).
Also below are the two rules in my local.rules (first one is not working):

alert tcp any any <> any any (msg:"SEEN-file_data-PhoneNo";file_data;content:"3028314317";nocase;sid:9000003;rev:1;)
alert tcp any any <> any any (msg:"SEEN-content";content:"a";nocase;sid:9000002;rev:1;)

P.S: I tried all possible ways to troubleshoot this issue but couldn't make it worked, hence thought that it could be 
Ubuntu snort version is broken.

Thanks,
Fatema.




On Mon, Aug 8, 2016 at 9:07 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Can you attach a sanitized version of your snort.conf here?

--
Joel Esler
Manager
Open Source
Talos Group
http://www.talosintelligence.com


On Aug 3, 2016, at 1:21 PM, fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail com>> 
wrote:

Hi,

I wanted to test this rule using snort, just as a starting point, and think that snort fails to decompress the file 
data and hence the rule is never triggered. Any what I am missing?

alert tcp any any <> any any (msg:"SEEN-1234565555-file_data";file_data;content:"1234565555";nocase;sid:9000003;rev:1;)

Please help me on this, this is kinda an urgent issue for me to solve this.

Thanks,
Fatema.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


<snort.conf>

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!