Re: Trigger anomalies (on LXC container versus host)

[Chris <berzerkatives () gmail com>]

On Mon, 04 May 2015 06:31:43 -0400
waldo kitty <wkitty42 () windstream net> wrote:

> On 5/3/2015 8:07 PM, Chris wrote:
> > Here's the rule that one would expect to trigger.
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> > (msg:"WEB-CGI test.cgi access"; flow:to_server,established;
> > uricontent:"/test.cgi"; nocase; classtype:web-application-activity;
> > sid:1646; rev:5;)
> >
> > I'm left to think that I must be making a mistake somehow with my
> > playback testing, but I'm not sure what. Any ideas?
>
> your rule has flow:to_server,established in it... could it be that
> your container snort hasn't seen the previous 3-way handshake packets
> and so doesn't consider this packet as "established"? we've seen
> similar when snort has flushed "old" unprocessed packets to make room
> for new ones in a heavy flow, low memory, high cpu usage situation...

Hi Waldo,

To test this I removed the flow* clause from the rule (incremented
the rev, stopped then started Snort), but that didn't cause it to
trigger when I tested again. Any thoughts?

Thanks,
Chris

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!