Snort mailing list archives

Re: Rules not hit on 2.9.1.1 sensor

From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 20 Oct 2011 17:49:10 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

Apologies, I was being a bit stupid.

snort -c /etc/snort/pcap.conf -r spyeye.pcap -A console -q -O

10/20-17:32:16.442956  [**] [1:2012686:1] ET TROJAN SpyEye Checkin
version 1.3.25 or later [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62074 ->
xxx.xxx.xxx.xxx:8080
10/20-17:34:48.278042  [**] [1:2012686:1] ET TROJAN SpyEye Checkin
version 1.3.25 or later [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62088 ->
xxx.xxx.xxx.xxx:8080
10/20-17:37:20.332410  [**] [1:2012686:1] ET TROJAN SpyEye Checkin
version 1.3.25 or later [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:62113 ->
xxx.xxx.xxx.xxx:8080

So yes, my 2.9.1.1 sensor alerts from a pcap but not from the same
traffic being received via afpacket/DAQ.

However the simple GET rule:
alert tcp any any -> any any (content:"GET /job/evil.exe ";
content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1;
sid:4100005; rev:1;)

is still firing when I test it.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOoFEGAAoJELhVoVpEMS6R4+AIAMAXkavAFgDo8Xpp8j8hY5cy
UtksDL81Kb089A7gNJ8C/z46c7aVzSw+khEosErIyuaNNi+j1xR0fjQlxKcOfGkG
3b3KBtwIUq8an19tmRjqjY7c26dgbI3OuOWJN+MryMsqWmb184P4m2hoMSpCJJYW
RrTbXI5VD9M/fWlkh1G8jGDsh+OzAIotjZL+zZIDtiAsW3HHKCXO1NRvpHeaeV56
BkYpPjAITHYiJvU2tBWZue41M6Ek2GHX8rDfSKsv8323+0Wr6g5BP2XAp1Ix36Sv
t0dFayrU7sEb6nkzSrebMi0kUHHP7LECS3KmncnsDRAzn9EFo06UTwoKSo0S4gg=
=37hR
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
  - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
    - Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)