Snort mailing list archives
Re: Rules not hit on 2.9.1.1 sensor
From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 20 Oct 2011 15:42:17 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello again all On 20/10/2011 13:43, Peter Bates wrote:
I have an old box running Snort 2.8.6, which is behind a firewall. I'm working on a new box running Snort 2.9.1.1 which (for various reasons) is in front of the firewall.
As a cross check I've compiled 2.8.6 on the 'new' box and also copied the working configuration from the 'old' box onto there. When I run it, my test rule:
A test rule on both boxes: alert tcp any any -> any any (content:"GET /job/evil.exe "; content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;)
is hit, but SIDs like 2012686 (ET TROJAN SpyEye Checkin version 1.3.25 or later) 2009486 (ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1) ) 2011894 (ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin) ... which are being hit on the 'old' box are not seen at all on the new. Although the 'new' box is in front of the firewall I'm a bit lost as to why the traffic is being missed - although tcpdump/httpry does see the traffic. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOoDNJAAoJELhVoVpEMS6R/WoH/34FnBHdO5WAaYc2s2WD7Sjo kEx5JhdeZTK/MniIu+jzLxthHWXGLIu2nCyRb1mt6VZ3gzv6y4DyPVotB0Tn0Yn9 Kecq+dQLodU/VSD8mjqkJ72z0bLUdbA7ED9Sy9e2+V8zWKcrkctcXwhORdNL5Z/v 65tlBv4kGFipby5pnZJTU/hhU4HeVr2MVtQh/Zk5/FO1LaAtZdeyOzPgfc91FlLM O/QuH46ecriTDQvffw2VWY+l6ba4+T+ByfH89jV0BpcV494a87us7mzdeVW1+Fq3 iUqTFaZqnd/30ZXKccoDNW1mdYLrwQWthttQBWkjMoy6XD+fs6zvjFD3x7GacvI= =N0jw -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Joel Esler (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 21)
- Re: Rules not hit on 2.9.1.1 sensor Martin Holste (Oct 20)
- Re: Rules not hit on 2.9.1.1 sensor Peter Bates (Oct 20)