Snort mailing list archives
Re: Snort -Problem with rule -
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 1 May 2017 02:19:29 +0000
Replay the pcap file into snort with the -r option. Check the manual for more info. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node8.html Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Joe Bowes <joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>> Reply-To: "joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>" <joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>> Date: Sunday, April 30, 2017 at 7:38 PM To: allewi <allewi () cisco com<mailto:allewi () cisco com>>, "younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>" <younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>>, 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Snort -Problem with rule - Hello.....i am working on a class assignment.....having a hard time....need to learn how to export packets from wireshark into Snort.....any help greatly appreciated. Sent from Yahoo Mail on Android<https://overview.mail.yahoo.com/mobile/?.src=Android> On Sun, Apr 30, 2017 at 4:26 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: Hello, It may be easier to get help if you included a pcap of the traffic. Thanks. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> On 4/28/17, 9:05 PM, "younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>" <younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>> wrote:
Hello everyone I am trying to test SQLI with a snort I have two machines: 1- Where I installedSNORT, and the application dvwa (to test sql injection) 2- The machine which is going to make the attack Sqli injection on the dvwa application So in the first machine I added this rule (in local.rule), To detect Sqli (https://www.linkedin.com/pulse/detecting-sql-injections-real-time-mission-impossible-val-smirnov) ************************************************************ alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only; http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:10000002; rev:002;) ************************************************************** And after the test sudo snort -T -c /etc/snort/snort.conf -i eth0 sudo snort -A console -c /etc/snort/snort.conf -i eth0 Snort detect nothing (for exemple ‘1or1=1#) But when I deleted the part pcre of the rule, snort detect it ********************************************************************************************** alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1%3D1"; sid:10000002; rev:002;) *********************************************************************************************** Someone can help me, why the first rule does not work (pcre ) Thank's. Sent from Mail for Windows 10
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort -Problem with rule - younes.abderrahmane31 (Apr 28)
- Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)
- Re: Snort -Problem with rule - Joe Bowes (Apr 30)
- Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)
- Re: Snort -Problem with rule - 강명훈 (May 01)
- Re: Snort -Problem with rule - Younes Abderrahmane (May 01)
- Re: Snort -Problem with rule - Joe Bowes (Apr 30)
- Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)