Snort mailing list archives
Re: Snort only alert about traffic with an specific IP
From: Jason Brvenik <jasonb () sourcefire com>
Date: Tue, 27 May 2008 11:32:25 -0400
Most likely your system uses tcp checksum offloading. Disable checksum checking and it will likely work as desired. You should not be monitoring from your test machines, this would not occur if you were monitoring traffic as it appears on the wire. Berta Alcala wrote:
First of all, thank you very much for your replies! I used Ethereal and I realised that I only see traffic that involves my IP, although the interface is in promiscuous mode. I'm connected to a switch so the problem is there. But in spite of this, snort doesn't work properly. There are rules that don't work for me, for example this rule (I downloaded it form the official site): alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) I wrote this other rule because the original one doesn't work for me (original rule, sid:1991 in chat.rules). This rule doesn't work with "flow" options, in other rules there aren't problems with "flow" options. alert tcp any 1863 -> $HOME_NET any (msg:"CHAT MSN Login"; flags:PA+; content:"LoginTime"; classtype:policy-violation; sid:1000006; rev:1;) And this other one is very similar and does not work: alert tcp $HOME_NET any -> any 1863 (msg:"CHAT MSN logout"; flags:PA+; content:"OUT"; classtype:policy-violation; sid:1000009; rev:1;) I don't know what's wrong!!! It is very strange!!!! Because I'm trying simple rules… ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort only alert about traffic with an specific IP Berta Alcala (May 26)
- Re: Snort only alert about traffic with an specific IP Michael Boman (May 26)
- Re: Snort only alert about traffic with an specific IP Leon Ward (May 26)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 27)
- Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 27)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 29)
- Re: Snort only alert about traffic with an specific IP Leon Ward (May 29)
- Re: Snort only alert about traffic with an specific IP Jason Brvenik (May 29)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 30)
- Message not available
- Re: Snort only alert about traffic with an specific IP Berta Alcala (Jun 02)
- Re: Snort only alert about traffic with an specific IP Berta Alcala (May 27)