Snort mailing list archives
Something is wrong with snort logging?
From: fatema bannatwala <fatema.bannatwala () gmail com>
Date: Mon, 7 Nov 2016 13:45:53 -0500
Hi, I have a snort rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely Successful Generic Phish 2016-09-23"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"clntnetid="; depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030; rev:1;) The following event shouldn't trigger without a "clntnetid" in the string so it looks like some data isn't getting logged into the snort tables: [1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23 2016-11-07 04:26:06.103000-05:00 1.2.3.4:54862 <http://128.4.132.252:54862/> -> 185.8.63.111:80 <http://185.8.63.111/> TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php HTTP/1.1::~~Host: www.anjo.lv::~~Content-Type: application/x-www-form-urlencoded::~~Origin: null::~~Content-Length: 143::~~Connection: keep-alive::~~Accept: text/h tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::~~User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4::~~Accept-Language: en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~ Other event that triggered this alert had "clntnetid" in the data string. Not sure if the events that are triggering this alert are having that string in data and snort is not logging it in database, or something is not correct with the rule that is causing it to trigger for the events NOT having that particular string in the data. Snort version - 2.9.8.3 barnyard version - 2-1.9 pulledpork - 0.7.0 Did anyone knows what might be going on? Thanks, Fatema.
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Something is wrong with snort logging? fatema bannatwala (Nov 07)
- Re: Something is wrong with snort logging? Y M (Nov 08)
- Re: Something is wrong with snort logging? fatema bannatwala (Nov 08)
- Re: Something is wrong with snort logging? fatema bannatwala (Nov 08)
- Re: Something is wrong with snort logging? fatema bannatwala (Nov 08)
- Re: Something is wrong with snort logging? Y M (Nov 08)