Snort mailing list archives

Re: packet logging

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 23 Jul 2003 09:59:03 -0400

At 03:07 PM 7/23/2003 +0800, cc wrote:

I'm just testing snort right now and was wondering if someone
could tell me if the following rule is wrong:

alert tcp any any -> $LAN any ( content: "GET /banner/"; \
                                msg: "banner test";)

It's in the myrules.rules file and is included in the
snort.conf file.

If a user from a workstation goes to a website and the
website sends a banner, shouldn't there be a log?


No, becaause the GET command will go FROM the lan not TO it.

You would want:


alert tcp $LAN any -> any any ( content: "GET /banner/"; \
                 msg: "banner test";)

Or for efficiency of not checking _EVERY_ tcp packet only check useful onesgoing to a normal http server:


alert tcp $LAN any -> any 80 ( content: "GET /banner/"; flags:A+; \
                 msg: "banner test";)



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

packet logging cc (Jul 23)
- Re: packet logging Matt Kettler (Jul 23)