Snort mailing list archives

Re: Snort Content

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 4 Jul 2016 03:18:02 +0000

Can you send us a copy of the pcap?


Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Email: allewi () cisco com<mailto:allewi () cisco com>


From: "Glover, Daniel (gloverdl)" <gloverdl () mail uc edu<mailto:gloverdl () mail uc edu>>
Date: Sunday, July 3, 2016 at 8:13 PM
To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Snort Content

I am having an issue getting alerts seemingly when I add a content string to my rules. I have my rule in 
/etc/nsm/rules/local.rules. My PCAP file is on my Desktop in Security Onion ( Version 2.9.8.2 GRE - Build 335 ).

alert tcp 10.0.0.15 54932 -> 10.0.0.4 80 (msg:"Test"; flow:established,to_server; content:"POST"; http_method; 
content:"mydomain.com"; http_header; sid:30000006; rev:1;)

I am running this command in Terminal:

sudo snort -c /etc/nsm/rules/local.rules -r /path/to/Desktop/20160701.pcap -A full -l .

If I change my rule as follows it will generate an alert:

alert tcp 10.0.0.15 54932 -> 10.0.0.4 80 (msg:"Test"; flow:established,to_server; sid:30000007; rev:2;)

I’m wondering if it could be the Terminal command I am using or if it’s a configuration issue (of course I may be doing 
something else stupid). Any help would be appreciated.

Thank you,
Dann

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Content Glover, Daniel (gloverdl) (Jul 03)
- <Possible follow-ups>
- Re: Snort Content Al Lewis (allewi) (Jul 03)