Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort not generating alert

From: Y M <snort () outlook com>
Date: Sat, 28 Nov 2015 12:44:04 +0000
I have looked at your files, but you may want to consider "flow" and "http_header" keywords in the rule posted. Try 
these and see if they help.

Sent from Mobile

_____________________________
From: Qasim Javed <qasim.javed () ebryx com<mailto:qasim.javed () ebryx com>>
Sent: Friday, November 27, 2015 10:32 AM
Subject: [Snort-users] Snort not generating alert
To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Hi,
     I am using ubuntu 14.04 LTS and have some problems while detecting some strings in payload of pcap. Actually the 
problem is that when i hit the pcap with snort rules file named r1.rules then no alerts are generated.Assuming that 
pcap,rules file are in same directory and snort.config is in /etc/snort/snort.conf and i have enabled TCP reassembly.

  *   Command1 executed :    sudo snort -c /etc/snort/snort.conf -A console -q -l /tmp -r "TCP_SACK.pcap" -k none
  *   Rule which should trigger:  alert tcp any any -> any any (sid:100014; rev:1; msg:"both contents found"; 
content:"HTTP/1.1 200 OK"; nocase;  content:"prevDays=new Arr";    nocase;)
  *   Output1 :  no alert generated


  *    Command2 executed :   sudo snort -c /etc/snort/snort.conf -A cmg -q -l /tmp -r "TCP_SACK.pcap" -k none
  *   Output2 : This command generates http-response stream and it has both contents which are in rule to be matched 
and it should generate alert but snort is not generating alert while both contents are present in output stream 
generated using switch  -A cmg instead of -A console.

         I have attached response file named "r1_response.txt"(i.e. output generated while executing command2) , 
snort.conf, r1.rules,

        TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and let me know the solution.




Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road<x-apple-data-detectors://4> Lahore, Pakistan

[http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000]



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: