Snort mailing list archives
Problems using flow quantifier
From: Research <research () nativemethods com>
Date: Thu, 5 Mar 2015 13:48:18 -0500
Hello, I have just begun writing my own rules for Snort 2.9.7.0. While I am aware that there are pre-existing rules that are probably: 1) more accurate 2) more optimized and 3) time tested, I am aiming to learn how to write rules from scratch. I currently have a basic rule that looks for a request to a web server for the “robots” file for crawling. The idea behind this rule is to receive notification when a web crawler indexes the web server. The early draft of the rule looks like this: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \ (msg:"Web crawl attempt: robots.txt"; content:"robot"; sid:10000002; rev:001) If I perform a simple test with telnet: telnet www.example.org 80 GET /robot …I see the results in the alerts.log file in /var/log/snort. My next step in optimizing the rule was to use the flow quantifier. I used the established_to option to specify traffic that had already established a three way handshake and to_server to specify a flow from a client to the server. The rule looks like: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \ (msg:"Web crawl attempt: robots.txt"; flow:established,to_server; content:"robot"; sid:10000002; rev:002;) …however, my telnet test from before now does not cause an event to be logged. If I remove the flow:established,to_server; portion, the rule then works again. I am unaware of flow having to be in a specific position in the rule (i.e. after content), so I am not sure what the problem could be. When I am running snort, I use the following command line: sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D I am wondering what I am doing incorrectly ? Thanks. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)