Snort mailing list archives
Alerts generated but no packets logged for URI Content rule
From: Snort User <snortman009 () gmail com>
Date: Wed, 27 Jun 2012 00:37:08 -0400
Running version 2.9.2.3 on Ubuntu Server 12.04 snort.conf file is almost identical to the file that comes with the source download. I only commented out the reputation section. The command line to launch snort is as follows: snort -c snort.conf -l /var/log/snort -A full -i eth1 The rule I am using is as follows: alert tcp any any -> any 80 (msg:"Electronics URI Content Detected";uricontent:"electronics";nocase;stream_reassemble:enable,both;sid:500200;) 5 Alerts are generated from the attached pcap file and look like the following: [**] [1:500200:0] Electronics URI Content Detected [**] [Priority: 0] 06/27-00:07:42.602532 10.0.77.140:3809 -> 66.211.181.161:80 TCP TTL:103 TOS:0x20 ID:24622 IpLen:20 DgmLen:1149 DF ***A**** Seq: 0xAC93418A Ack: 0x2A8B224C Win: 0xF653 TcpLen: 20 The snort log file is created but is never filled with the packets associated with the alerts. Can anyone provide assistance? Thank you. Sean
Attachment:
electronics.pcap
Description:
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alerts generated but no packets logged for URI Content rule Snort User (Jun 26)