Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: content-based rules not detected

From: "Bhargava Jandhyala (bjandhya)" <bjandhya () cisco com>
Date: Wed, 22 Feb 2017 11:24:48 +0000
Please use this rule

alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”; content:"|d9 74 24 44|"; rev:1; 
classtype:malicious-code;  )

no need any commend for payload-based rules.

For your help, some example

alert tcp any any -> any any (\
    msg:"Rule 2 -- alert since decode buffer searched by default"; \
    content:"|5a 7d 87 ff 00 02 03 28 05|"; \
    sid:2; rev:1)


Thanks,
Bhargava


From: praveen kumar <praveen.sssgroups () gmail com>
Date: Wednesday, 22 February 2017 at 4:06 PM
To: "Snort-users () lists sourceforge net" <Snort-users () lists sourceforge net>
Subject: [Snort-users] content-based rules not detected

Hello ,

I have written content-based rule that matches for the payload (contents) of certain packets(against .pcap file) and 
that rule doesn't seem to work.
ex:
Step 1:  I have added this rule in local.rules
        alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”; content:”|d9 74 24 44|”; sid:1000006;rev:1; 
classtype:malicious-code;  )
        and, included local.rules in snot.conf file and also added classtype in classification.config file

Step 2: Ran sudo snort -A console -r malicious.pcap -c snort.conf

Here, at the end (on console) we can see that rule being added but no alert is being triggered.
Do i need to run any  other command for payload-based rules to work ??

And lastly I want to ask how to write content-based rules.

Please help in this regard

Thank you

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: