Snort mailing list archives
Problems using flow quantifier
From: Research <research () nativemethods com>
Date: Thu, 5 Mar 2015 13:48:18 -0500
Hello,
I have just begun writing my own rules for Snort 2.9.7.0. While I am aware that there are pre-existing rules that are
probably: 1) more accurate 2) more optimized and 3) time tested, I am aiming to learn how to write rules from scratch.
I currently have a basic rule that looks for a request to a web server for the “robots” file for crawling. The idea
behind this rule is to receive notification when a web crawler indexes the web server. The early draft of the rule
looks like this:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
(msg:"Web crawl attempt: robots.txt"; content:"robot"; sid:10000002; rev:001)
If I perform a simple test with telnet:
telnet www.example.org 80
GET /robot
…I see the results in the alerts.log file in /var/log/snort.
My next step in optimizing the rule was to use the flow quantifier. I used the established_to option to specify
traffic that had already established a three way handshake and to_server to specify a flow from a client to the server.
The rule looks like:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
(msg:"Web crawl attempt: robots.txt"; flow:established,to_server; content:"robot"; sid:10000002;
rev:002;)
…however, my telnet test from before now does not cause an event to be logged. If I remove the
flow:established,to_server; portion, the rule then works again.
I am unaware of flow having to be in a specific position in the rule (i.e. after content), so I am not sure what the
problem could be. When I am running snort, I use the following command line:
sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
I am wondering what I am doing incorrectly ?
Thanks.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)