Snort mailing list archives
Snort with inline
From: Didier Bortolin <didier.bortolin () gmail com>
Date: Wed, 10 Jun 2009 21:23:14 +0200
Hello everybody, New with snort, i am trying to use it in IPS mode. Packets are controlled by Snort like this in my logs : 06/09-21:54:44.717206 XXXXXXXXX:2034 -> XXXXXXXXXXX:80 TCP TTL:58 TOS:0×0 ID:9926 IpLen:20 DgmLen:52 DF ******S* Seq: 0×7AFD82E0 Ack: 0×0 Win: 0xFFFF TcpLen: 32 TCP Options (6) => MSS: 1452 NOP WS: 3 NOP NOP SackOK =====================================+ I connect to my apache for get server info page, in IDS mode, i have the alert of Snort, but in IPS mode i have NO alert. I make a simple rule, and it is match: this rule match : alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST"; sid:2;) this one doesnt match, like all other : alert tcp any any -> any any (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; metadata:service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:2; rev:7;) I tryied to change parameters in the http_inspect, but no result, Snort dont take of any packet.. only my rule. Somone can help me ? Thanks you, Best regards, Didier Bortolin
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with inline Didier Bortolin (Jun 10)
- Re: Snort with inline Will Metcalf (Jun 10)