Re: question for snort flow established

[waldo kitty <wkitty42 () windstream net>]

On 3/17/2013 22:51, zhaojunling_20 wrote:
> Dear All,
>
> Do anyone help me with this topic. :(

first: it was the weekend... not many folks are available at their business to 
get these emails on the weekend...

second: please give folks time to get to where they can read the thread and 
formulate a post /if/ they have anything to offer...


"established" means that a proper three-way handshake has taken place and the 
TCP connection is good...

what does a pcap of that specific traffic flow show? the whole stream from the 
initial syn to the final tear down of the connection... you'll need something 
other than snort to capture this... tcpdump or wireshark...


> At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 () 163 com> wrote:
>
>     Dear All,
>
>     By the way if I comment keyword "_established"_, the rule workes. And I
>     attached snort.conf and output when I running
>     snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>.
>     version of snort is snort Version 2.9.4.1 GRE
>
>     #########
>     alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
>     installation request"; content:"Zango/Setup.exe";flow:
>     to_server_,established_;
>     reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>     classtype:policy-violation; sid:10000019; rev:3;)
>
>
>
>     At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 () 163 com
>     <mailto:zhaojunling_2000 () 163 com>> wrote:
>
>         Dear friends,
>
>         FYI
>         # List of web servers on your network
>         ipvar HTTP_SERVERS 10.2.11.2/24
>
>         # List of ports you run web servers on
>         portvar HTTP_PORTS
>         
> [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
>
>
>         At  2013-03-17  04:00:21,"waldo  kitty"  <wkitty42 () windstream net  <mailto:wkitty42 () windstream net>>  
> wrote:
>         >On  3/16/2013  10:10,  zhaojunling_20  wrote:
>         >>  Dear  All,
>         >>
>         >>  I  have  a  little  question,  if  I  installed  snort  on  my  web  server<ipaddress
>         >>  10.2.11.2>  which  has  only  one  ethernet  interface  and  snort  inspect  the
>         >>  interface,  does  "flow  with  option  established"  work  or  not?
>         >
>         >yes...  it  has  to  as  several  tens  of  thousands  of  rules  use  it  ;)
>         >
>         >>  I  have  tested  the  below  rule  with
>         >>  ----http://10.2.11.2/test.php?user=Zango/Setup.exe,  no  alert  arised.
>         >>  alert  tcp  any  any  ->  $HTTP_SERVERS  $HTTP_PORTS  (msg:"WEB-CLIENT  Zango  adware
>         >
>         >what  does  your  $HTTP_SERVERS  and  $HTTP_PORTS  vars  contain  from  your  snort.conf??
>         >
>         >>  installation  request";  content:"Zango/Setup.exe";flow:  to_server,established;
>         >>  reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>         >>  classtype:policy-violation;  sid:10000019;  rev:3;)
>         >>  appreciate  your  help~



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!