Snort mailing list archives
Re: Snort-1.9.0 not generating required alerts
From: archana rao <archuatdavis () yahoo com>
Date: Tue, 15 Oct 2002 14:13:08 -0700 (PDT)
Hi, I followed the steps you had mentioned, and now I have discovered another problem.Snort-1.9.0 is not accepting the -s(log alerts to syslog) command line option.It gives me either a "fatal error, quitting" error message, or prints out the "USAGE:...." message.I noticed that I was getting the alerts in Snort-1.8.7 when I was using the -s option and so, when I tried doing the same thing, Snort-1.9.0 doesn't seem to be able to recognize the option.Any ideas? Thanks in advance, Archana --- Erek Adams <erek () theadamsfamily net> wrote:
On Tue, 15 Oct 2002, archana rao wrote:Thanks for the reply.No problem. :)The alert that I expect to be generated hassid:981. Ok, lets have a look at the rules: 1.8.7 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags:A+; nocase; classtype:web-application-attack; sid:981; rev:5;) 1.9.0 web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flow:to_server,established; nocase; classtype:web-application-attack; sid:981; rev:5;) Note that on 1.8.7 it uses the 'flags:A+' setup. That used to be prone to a lot of false postives and so 'flow' was added.It does look for the "flow:to_server,established", but I am establishing asession before sending the packets. I am doingtcpdump of the trafficbetween my attacking machine and the machine beingattacked.I am writing theoutput of tcpdump into a file and using thistcpdump formatted file as inputto Snort.These were the same steps that I followedin Snort-1.8.7. Am Imissing out something?As I mentioned earlier, I amestablishing a sessionbefore firing the packets.One thing that you might be getting the problem from is that the snaplen of tcpdump is 64bytes where snort's is 1514bytes. Usually, w/tcpdump you only get the headers and a small bit of the data, unless you explicitly change the snaplen. Try recording the session using a bigger snaplen or with snort. Fire the exploit and see if you can get a capture. Once you get that try running the newcapture thru snort and see what you are getting. Something like 'snort -b <options> "host <victim>" ' should get the capture you need. Then 'snort -vader <logfile>' would run the data on the screen. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v?http://www.viaverio.com/ consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.9.0 not generating required alerts archana rao (Oct 14)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 14)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Alberto Gonzalez (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 16)
- Re: Snort-1.9.0 not generating required alerts Alberto Gonzalez (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 16)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 14)