Re: Question regarding a rule

[Y M <snort () outlook com>]

Ok, GUI is out of the way. 
I am just guessing here, but since there is no flow direction in the rule; only "established" without a flow direction 
(to_server, from_client, etc...) Snort will alert after it flushes the tcp sessions, I am almost sure that I read this 
somewhere. If you use, for example, to_server, Snort would alert as soon as the content matches and knows that it was 
you (the client) who established/initiated the connection (through stream5) and alert based on that.  However, I stand 
corrected on all of the above. 
If you add the flow direction to your rule, does that change the alerting behavior?

Date: Tue, 24 Jun 2014 18:09:05 +0100
Subject: Re: [Snort-sigs] Question regarding a rule
From: chas5873 () gmail com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net

Cheers for the reply mate. 

I'm not using a GUI, just running it in through a terminal. It's the only rule which it's happening with so far, 
confusing me to say the least!



On Tue, Jun 24, 2014 at 6:06 PM, Y M <snort () outlook com> wrote:




Are you using a GUI or just running in console mode to view the alerts? "Usually", in a GUI scenario, alerts are cached 
and depending in refresh rates the alerts will show up. Does this happen only for this rule or others as well?

Date: Tue, 24 Jun 2014 17:17:09 +0100
From: chas5873 () gmail com
To: snort-sigs () lists sourceforge net

Subject: [Snort-sigs] Question regarding a rule

Hi guys, 

I'm having a bit of trouble with a rule that I'm playing around with to detect torrent usage. 





        
        
        
        


alert
tcp any any -> any any (msg: "P2P torrent
metafile download"; content:"|38 64 61|";
flow:established; classtype:policy-violation; sid:1000001; rev:1;)


After examining the hex dumps from multiple torrents, I noticed that they all begin with 38 64 61, so that's where I 
managed to get that content from. 





When I run Snort and download the torrent though, it doesn't alert me straight away, however gives me about 20 alerts 
about 3 - 4 minutes later.


Does anyone have any idea what could be causing this?

Cheers, 

Charlie





------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!                                       

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!