Snort mailing list archives
Re: content-based rules not detected
From: "Bhargava Jandhyala (bjandhya)" <bjandhya () cisco com>
Date: Wed, 22 Feb 2017 11:24:48 +0000
Please use this rule alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”; content:"|d9 74 24 44|"; rev:1; classtype:malicious-code; ) no need any commend for payload-based rules. For your help, some example alert tcp any any -> any any (\ msg:"Rule 2 -- alert since decode buffer searched by default"; \ content:"|5a 7d 87 ff 00 02 03 28 05|"; \ sid:2; rev:1) Thanks, Bhargava From: praveen kumar <praveen.sssgroups () gmail com> Date: Wednesday, 22 February 2017 at 4:06 PM To: "Snort-users () lists sourceforge net" <Snort-users () lists sourceforge net> Subject: [Snort-users] content-based rules not detected Hello , I have written content-based rule that matches for the payload (contents) of certain packets(against .pcap file) and that rule doesn't seem to work. ex: Step 1: I have added this rule in local.rules alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”; content:”|d9 74 24 44|”; sid:1000006;rev:1; classtype:malicious-code; ) and, included local.rules in snot.conf file and also added classtype in classification.config file Step 2: Ran sudo snort -A console -r malicious.pcap -c snort.conf Here, at the end (on console) we can see that rule being added but no alert is being triggered. Do i need to run any other command for payload-based rules to work ?? And lastly I want to ask how to write content-based rules. Please help in this regard Thank you
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- content-based rules not detected praveen kumar (Feb 22)
- Re: content-based rules not detected Bhargava Jandhyala (bjandhya) (Feb 22)