Snort mailing list archives

Re: Snort -Problem with rule -

From: 강명훈 <mhkang589 () gmail com>
Date: Tue, 2 May 2017 00:39:24 +0900

PCRE tries to check strings 'or+1=1'. Does strings 'or+(one or more)'
actually exist in the packet?

2017-05-01 11:19 GMT+09:00 Al Lewis (allewi) <allewi () cisco com>:

Replay the pcap file into snort with the -r option.

Check the manual for more info. http://manual-snort-org.s3-
website-us-east-1.amazonaws.com/node8.html



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Joe Bowes <joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>>
Reply-To: "joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>" <
joebowes50 () yahoo com<mailto:joebowes50 () yahoo com>>
Date: Sunday, April 30, 2017 at 7:38 PM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>, "
younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>" <
younes.abderrahmane31 () gmail com<mailto:younes.abderrahmane31 () gmail com>>,
'snort-users' <snort-users () lists sourceforge net<mailto:snort-
users () lists sourceforge net>>
Subject: Re: [Snort-users] Snort -Problem with rule -

Hello.....i am working on a class assignment.....having a hard
time....need to learn how to export packets from wireshark into
Snort.....any help greatly appreciated.

Sent from Yahoo Mail on Android<https://overview.mail.
yahoo.com/mobile/?.src=Android>

On Sun, Apr 30, 2017 at 4:26 PM, Al Lewis (allewi)
<allewi () cisco com<mailto:allewi () cisco com>> wrote:
Hello,

    It may be easier to get help if you included a pcap of the traffic.

Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>








On 4/28/17, 9:05 PM, "younes.abderrahmane31 () gmail com<mailto:younes.
abderrahmane31 () gmail com>" <younes.abderrahmane31 () gmail com<mailto:younes.
abderrahmane31 () gmail com>> wrote:

Hello everyone
I am trying to test SQLI with a snort
I have two machines:
1- Where I installedSNORT, and the application dvwa (to test sql

injection)

2- The machine which is going to make the attack Sqli injection on the

dvwa application


So in the first machine I added this rule (in local.rule), To detect Sqli
(https://www.linkedin.com/pulse/detecting-sql-

injections-real-time-mission-impossible-val-smirnov)

************************************************************
alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection

attempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only;
http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop,
policy security-ips drop, service http; reference:url,ferruh.mavituna.
com/sql-injection-cheatsheet-oku/; classtype:web-application-attack;
sid:10000002; rev:002;)

**************************************************************

And after the test
sudo snort -T -c /etc/snort/snort.conf -i eth0
sudo snort -A console -c /etc/snort/snort.conf -i eth0
Snort detect nothing (for  exemple ‘1or1=1#)

But when I deleted the part pcre of the rule, snort detect it
***********************************************************

***********************************

alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection

attempt"; flow:to_server,established; content:"1%3D1"; sid:10000002;
rev:002;)

***********************************************************

************************************



Someone can help me, why the first rule does not work  (pcre )
Thank's.


Sent from Mail for Windows 10

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 
-----------------------
Kang Myoung-hun
-----------------------
+82-10 6604 6084
kangmyounghun.blogspot.kr
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort -Problem with rule - younes.abderrahmane31 (Apr 28)
- Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)
  - Re: Snort -Problem with rule - Joe Bowes (Apr 30)
    - Re: Snort -Problem with rule - Al Lewis (allewi) (Apr 30)
    - Re: Snort -Problem with rule - 강명훈 (May 01)
    - Re: Snort -Problem with rule - Younes Abderrahmane (May 01)