Snort mailing list archives
Re: Question about rules
From: Ricardo Barbosa <ricardobarbosams () yahoo com br>
Date: Wed, 27 Jan 2010 10:47:35 -0800 (PST)
Hi all, solve the problem of string teste_rule and still did not work. Snort was already being started with the -vdi eth0 options and added the option -k none but without success. How do I dump via pcap? I did an analysis by wireshark log follows below. -------------------- wireshark.log(command tshark -V) ---------------------------------------- Truncated.... Internet Protocol, Src: 10.1.1.2 (10.1.1.2), Dst: 20.1.1.2 (20.1.1.2) Version: 4 Truncated.... Source: 10.1.1.2 (10.1.1.2) Destination: 20.1.1.2 (20.1.1.2) Transmission Control Protocol, Src Port: http (80), Dst Port: 51427 (51427), Seq: 1, Ack: 602, Len: 378 Source port: http (80) Destination port: 51427 (51427) Truncated.... Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n] [Message: HTTP/1.1 200 OK\r\n] [Severity level: Chat] [Group: Sequence] Request Version: HTTP/1.1 Response Code: 200 Date: Wed, 27 Jan 2010 00:24:44 GMT\r\n Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin- Patch\r\n Last-Modified: Mon, 25 Jan 2010 20:12:45 GMT\r\n ETag: "8850-32-47e02cad78940"\r\n Accept-Ranges: bytes\r\n Content-Length: 50\r\n [Content length: 50] Keep-Alive: timeout=15, max=100\r\n Connection: Keep-Alive\r\n Content-Type: text/html\r\n \r\n Line-based text data: text/html <html>\n <body>\n <h1>teste_rule</h1>\n </body>\n </html>\n Regards --- Em qua, 27/1/10, Matt Olney <molney () sourcefire com> escreveu: De: Matt Olney <molney () sourcefire com> Assunto: Re: [Snort-users] Question about rules Para: "Ricardo Barbosa" <ricardobarbosams () yahoo com br> Cc: "rmkml" <rmkml () free fr>, snort-users () lists sourceforge net Data: Quarta-feira, 27 de Janeiro de 2010, 14:03 1) You didn't say you did, so double check that you added "-k none" to your command line2) snort -vdi eth0 should dump the traffic you are seeing, assuming you are sniffing on eth0. Let us know how that goes. Failing that, send us a PCAP (captured on your Snort interface) of the traffic. Matt On Wed, Jan 27, 2010 at 8:15 AM, Ricardo Barbosa <ricardobarbosams () yahoo com br> wrote: Hi rmkml answering questions
what snort version you test please?
root@capsula:~# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.8.4.1 (Build 38) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 root@capsula:~#
Do you send your
conf?
/etc/snort/snort.debian.conf
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="20.0.0.0/8"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"
/etc/snort/snort.conf
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
dynamicpreprocessor directory
/usr/lib/snort_dynamicpreprocessor/
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor
ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len
500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc2
preprocessor dcerpc2_server: default
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted, trustservers
output log_tcpdump: tcpdump.log
include classification..config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/community-exploit.rules
include
$RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc..rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-iis.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules
include $RULE_PATH/sql.rules
include
$RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/community-oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/community-nntp.rules
include $RULE_PATH/community-sip.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/community-bot.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/experimental.rules
include
threshold.conf
snort cmd line starting please?
/usr/sbin/snort -m 027 -D -d -v -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[10.0.0.0/8] -i eth0
for example, maybe disable checksum with '-k none' on cmd line... you have created a html page (http reply server side), and you have created a snort rule on client (to server) side...
Regards
In desperation, I tried the following rules
alert tcp 10.0.0.0/8 80 -> any any (content:"teste rule"; msg:"TEST
HTTP"; sid:100000000;)
alert tcp any any <> any any (content:"teste rule"; msg:"TEST HTTP";
sid:100000000;)
alert tcp any any <> any any (content:"teste rule"; http_client_body;
msg:"TEST HTTP"; sid:100000000; depth:1000;)
without sucess in all.
no idea where i can be wrong or missing some pre-processador. I thank
Regards.
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 - Celebridades - Música - Esportes
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about rules Ricardo Barbosa (Jan 26)
- <Possible follow-ups>
- Re: Question about rules Ricardo Barbosa (Jan 27)
- Re: Question about rules Matt Olney (Jan 27)
- Re: Question about rules Ricardo Barbosa (Jan 27)
- Re: Question about rules Matt Olney (Jan 27)
- Re: Question about rules Ricardo Barbosa (Jan 27)
- Re: Question about rules Joel Esler (Jan 27)
- Re: Question about rules Ricardo Barbosa (Jan 27)