Snort mailing list archives
Re: question for snort flow established
From: zhaojunling_20 <zhaojunling_2000 () 163 com>
Date: Sun, 17 Mar 2013 10:41:52 +0800 (CST)
Dear friends, FYI # List of web servers on your network ipvar HTTP_SERVERS 10.2.11.2/24 # List of ports you run web servers on portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555] At 2013-03-17 04:00:21,"waldo kitty" <wkitty42 () windstream net> wrote:
On 3/16/2013 10:10, zhaojunling_20 wrote:Dear All, I have a little question, if I installed snort on my web server<ipaddress 10.2.11.2> which has only one ethernet interface and snort inspect the interface, does "flow with option established" work or not?yes... it has to as several tens of thousands of rules use it ;)I have tested the below rule with ----http://10.2.11.2/test.php?user=Zango/Setup.exe, no alert arised. alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adwarewhat does your $HTTP_SERVERS and $HTTP_PORTS vars contain from your snort.conf??installation request"; content:"Zango/Setup.exe";flow: to_server,established; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:10000019; rev:3;) appreciate your help~------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question for snort flow established zhaojunling_20 (Mar 16)
- Re: question for snort flow established waldo kitty (Mar 16)
- Re: question for snort flow established zhaojunling_20 (Mar 16)
- Re: question for snort flow established zhaojunling_20 (Mar 16)
- Re: question for snort flow established zhaojunling_20 (Mar 17)
- Re: question for snort flow established zhaojunling_20 (Mar 17)
- Re: question for snort flow established waldo kitty (Mar 18)
- Re: question for snort flow established JJ Cummings (Mar 18)
- Re: question for snort flow established waldo kitty (Mar 18)
- Re: question for snort flow established Joel Esler (Mar 18)
- Re: question for snort flow established waldo kitty (Mar 18)
- Re: question for snort flow established Jason (Mar 18)
- Re: question for snort flow established zhaojunling_20 (Mar 16)
- Re: question for snort flow established waldo kitty (Mar 16)
- Re: question for snort flow established Joel Esler (Mar 18)