Re: porno rules

[Bryan Irvine <bryan.irvine () kingcountyjournal com>]

On Tue, 2003-04-29 at 13:42, Matt Kettler wrote:
> Are you doing a web or usenet (groups) search on google?
Yes I'm trying on google and even clicking on links that appear to 
best match the ruleset to try and trigger it.



> Snort will fire off based on the response, not the submission, so if the 
> page that comes back has a.p.b.e in the text, it is perfectly reasonable 
> for snort to fire off that rule. This is very likely to happen if you were 
> to use google's groups search, but very unlikely to happen if you did a web 
> search.
>
> That said, view the source of the exact page you got back.. does it contain 
> the string alt.binaries.pictures.erotica ? If so, snort correctly fired off.
Nope none of the sites contain that.  Strange huh?

> As far as missing the "nude cheerleader" in the response, have you done a 
> kill -USR1 on your snort process and looked at the packet statistics 
> (they'll be dumped to syslog so usually wind up in /var/log/messages) If 
> you're dropping packets, that could be why it's seeing one part, and not 
> another.
No dropped packets.


> If those options don't help, could you post some more detail. Right now 
> you're just giving very vague generalities about what you are doing, and 
> what alerts are generated. Be specific. Include alerts and the packet dumps 
> that snort generates (IP's censored if you prefer).
It's an OpenBSD server running a PF firewall and NAT.  
I have 4 instances of snort running so it's really easy to keep track of
what's going on in each network (there's 4 nic's: 2NAT's, 1 DMZ).
I'm testing it on 1 NAT to see if I can get it running.
Here's what ps -ax  | grep snort looks like

 8024 ??  Is      0:00.75 snort -l /var/www/htdocs/snort/xl0 -A FULL -c
/usr/local/share/snort/snort.conf -D 
13911 ??  Is      0:00.71 snort -i xl1 -l /var/www/htdocs/snort/xl1 -A
FULL -c /usr/local/share/snort/internal-snort.conf -D 
 3722 ??  Is      0:00.76 snort -i xl2 -l /var/www/htdocs/snort/xl2 -A
FULL -c /usr/local/share/snort/internal-snort.conf -D 
 9145 ??  Is      0:00.80 snort -i xl3 -l /var/www/htdocs/snort/xl3 -A
FULL -c /usr/local/share/snort/snort.conf -D 


> Also of note, the fact that you even HAD an entry for ASN1 in your 
> snort.conf seems very problematic and indicates the "upgrade" wasn't done 
> properly. that line shouldn't have been there in the first place.
>
> When you upgraded to 2.0, you should have made a completely new snort.conf 
> based on the one that shipped with 2.0.
>
> Do NOT try to re-use a snort.conf from 1.9.x.  if for no other reason that 
> the list of *.rules files has changed.
>
> It's also inadvisable to use portscan2 and conversation preprocessors.. 
> those are disabled by default in snort 2.0's conf.

I changed it to the 2.0 snort.conf file, didn't change a thing :-/

--Bryan

> At 12:49 PM 4/29/2003 -0700, Bryan Irvine wrote:
> > I'm having problems with my porn.rules
> >
> > I'm trying to test it out, but no matter what I type in google for my
> > search criteria it always comes back the same.
> > alt.binaries.pictures.erotica
> >
> > Any ideas?
> >
> > --Bryan



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users