Snort mailing list archives
Re: Port problems in a rule
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 17 Oct 2014 16:10:01 -0400
On 10/17/2014 2:58 PM, Kurzawa, Kevin wrote:
The port variable doesn’t seem to like me. I recently started playing with rules and found an unexpected problem. Wondering what I’m doing wrong.
how are you attempting to trigger these rules?
# works alert tcp any any -> any any (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:1;)
do you have a pcap for this? i suspect that you are seeing this trigger on something other than http traffic which your other two rules appear to be looking for... maybe DNS traffic here when the browser looks up the domain to find out which IP to connect to...
# doesn't work #alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:2;) # doesn't work #alert tcp any any -> any $HTTP_PORTS (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:3;)
aside from that, you should perhaps capture the traffic to a pcap with wireshark or tcpdump... that way you can more easily see what ports are being used and what the contents of the traffic actually are... it is possible that your content string doesn't appear in the traffic at all... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Port problems in a rule Kurzawa, Kevin (Oct 17)
- Re: Port problems in a rule waldo kitty (Oct 17)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 20)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 17)