Snort mailing list archives
Re: Problems using flow quantifier
From: Research <research () nativemethods com>
Date: Thu, 5 Mar 2015 14:41:33 -0500
On Mar 5, 2015, at 2:25 PM, lists () packetmail net wrote:
On 03/05/2015 12:48 PM, Research wrote:sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D I am wondering what I am doing incorrectly ?A very well formed, respectful, asked question -- thank you for that. Add '-k none' do reply if this does or does not fix it. I am happy to help. Cheers, Nathan Fowler
Hi Nathan, Thank you for your response. I modified the command line with the -k none argument as you suggested: sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -k none -D …and then tested the rule and successfully received an alert in alerts.log! I iterated on the rule and made it a bit more specific: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \ (msg:"Web crawl attempt: robots.txt"; flow:established,to_server; content:"/robots.txt"; sid:10000002; rev:002;) …and am happy to say that this was successful as well. It managed to pick up the Bing bot spidering my site. I checked the man page for the -k argument and note that the -k none option does the following: "None turns off the entire checksum verification subsystem.” Out of curiosity, why was that causing problems ? My web server is on a cloud instance - are the virtualized NIC’s not able to calculate checksums correctly and were interfering with rule detection (i.e.: Snort was seeing an invalid checksum and discarding the packet instead of running the rule on it) ? Thank you. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier Joel Esler (jesler) (Mar 05)
- Re: Problems using flow quantifier Research (Mar 05)
- Re: Problems using flow quantifier lists () packetmail net (Mar 05)