Snort mailing list archives
Rule works in replay file mode, but not when sniffing
From: Pavel Rantorski <fhjull01 () outlook com>
Date: Fri, 12 Jul 2013 15:05:37 +0200
Hello,
I'm testing a rule that should (eventually) detect download/upload of specific file types from public HTTP servers. I
could not get the rule to trigger, so I simplified it to:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test file download"; content:"Content-Disposition|3a|";
nocase; http_header; pcre:"/filename=/simH"; classtype:policy-violation; sid:1000004; rev:7;)
(the rule is nowhere near complete, it is simplified to be less prone to mistakes)
Unfortunatelly, the rule still does not work. I captured the traffic (on the same machine/interface that Snort was
running) and verified that such packet is indeed there. When I let Snort analyze the traffic from this pcap file
('snort -A console -c /etc/snort/snort.conf -r /tmp/testdata5.pcap -l . -u snort'), the rule is fired on console
correctly.
The rule is (in standard, sniffing mode) sometimes triggered as well (although never from this particular server I am
testing).
What could be the cause of this? Snort is running in IDS mode (not inline) and is not dropping packets. LRO and GRO are
disabled on network adapter. I have tried running Snort with '-k none' without any results.
I have attached small pcap sample of the traffic I'm trying to catch - this is enough to trigger the rule in replay
mode, but didn't trigger when sniffing.
Thank you,
Pavel
Attachment:
testdata5.pcap
Description:
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule works in replay file mode, but not when sniffing Pavel Rantorski (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing Joel Esler (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing Russ Combs (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing Pavel Rantorski (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing Russ Combs (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing Pavel Rantorski (Jul 12)
- Message not available
- Re: Rule works in replay file mode, but not when sniffing Pavel Rantorski (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing waldo kitty (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing Russ Combs (Jul 12)
- Re: Rule works in replay file mode, but not when sniffing Joel Esler (Jul 12)