Snort mailing list archives
Problems trying to grep traffic in TCP streams
From: snort () tmp com br
Date: Tue, 23 Oct 2001 18:09:21 -0200
Hello, folks. I am having problems with getting snort produce alerts when some traffic appears in a TCP stream. What I want is having snort search for a pair of strings that may occur at any time during TCP sessions. I have two cases of interest, with different strings each, that may happen via SMTP or via a web-based e-mail provider. Then I set the rules below but could not get the desired behaviour to happen. The first rule, for SMTP, worked fairly well with 1.8.1, but failed to work if the two strings were too distant from one another. The second rule never worked, even with variations to make string matches exact, instead of case-insentive and with wildcard characters. With the CVS version, even the test set for the first rule stopped producing alarms. Are my rules wrong for the behaviour I want? Do you have any pointers? I tried the same versions with the same rule set in a NetBSD-1.5.2 machine, and results were excatly the same. System architecture: i386 (Pentium-III 700) Operating system: Linux, kernel 2.0.36, libc5; NetBSD-1.5.2 Rules: 8<------------------------------------------------------------------------ #snort config file to test ability to detect suspect content preprocessor frag2 preprocessor stream4: timeout 60 preprocessor stream4_reassemble: clientonly, ports 25 3128 var MONITORED_CLIENTS [0/0] var MONITORED_SERVERS [0/0] var SERVER_PORT 80 alert tcp any any -> any any ( \ flags: A+; \ \ content: "something1"; \ content: "otherstuff2"; \ nocase; \ msg: "something1+otherstuff2 detected";\ ) alert tcp any any -> any any ( \ flags: A+; \ \ content: "POST /cgi-bin/webmail.exe"; \ content: "=abuse%40tmp.com.br"; \ nocase; \ msg: "Detected sending webmail to abuse () tmp com br";\ ) #eof snort.conf ------------------------------------------------------------------------>8 Command line used: "snort -z est", "snort -b -z est", "snort -z all", "snort -b -z all" Below are te test commands, data and output from snort. For the first rule: % telnet mailhost 25 helo something1 mail from: otherstuff2 () tmp com br rcpt to: pappires () tmp com br data Test . quit Output with 1.8.1_RELEASE: /var/log/snort/alert [**] [1:0:0] something1+otherstuff2 detected [**] 10/22-12:52:22.213856 192.168.0.2:16691 -> 192.168.0.1:25 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:144 ***AP*** Seq: 0x951B462A Ack: 0xCB327D81 Win: 0x7FDF TcpLen: 20 Output with CVS version (1.8.2beta0): /var/log/alert: Nothing! For the second rule: % telnet squid 3128 POST http://www.bol.com.br/cgi-bin/webmail.exe?q=abuse%40tmp.com.br HTTP/1.0 Content-Length: 0 Output with 1.8.1_RELEASE: /var/log/snort/alert: Nothing! Output with CVS version (1.8.2beta0): /var/log/snort/alert: Nothing! -- Paulo Alexandre Pinto Pires -- pappires () tmp com br TMP Consultoria em Informatica S/C -- http://www.tmp.com.br Phone: +55-21-2556-3791 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems trying to grep traffic in TCP streams snort (Oct 23)