Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: snort with daq inline mode problem

From: <pawelsw1 () o2 pl>
Date: Sat, 31 Mar 2018 11:14:51 +0200
Hello,

I have problem with snort. I see in log that he is dropping connection but
tcp reset is sending after the operation is completed (create or drop table
in database). I have rule that is checking that table in database id drop or
create.

Could You help me?



drop tcp any any -> any 3306 (msg:"Block SQL Command : CREATE TABLE";
flow:from_client,established; content: "CREATE|20|"; nocase;
pcre:"/CREATE.+TABLE/i"; sid:2015052203)

snort -c /etc/snort/snort.conf -Q  -i eth0:eth1 -A console



[ Number of patterns truncated to 20 bytes: 0 ]

afpacket DAQ configured to inline.

Acquiring network traffic from "eth0:eth1".

Reload thread starting...

Reload thread started, thread 0x7f393bb31700 (11945)



        --== Initialization Complete ==--



   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.11.1 GRE (Build 268)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team

           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights
reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.5.3

           Using PCRE version: 8.32 2012-11-30

           Using ZLIB version: 1.2.7



           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  <Build 1>

           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>

           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>

           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>

           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>

           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>

           Preprocessor Object: SF_POP  Version 1.0  <Build 1>

           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>

           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>

           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>

           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>

           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>

           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>

           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>

           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>

Commencing packet processing (pid=11936)

Decoding Ethernet

03/30-22:13:04.167644  [Drop] [**] [1:65000004:0] Block SQL Command : DROP
TABLE [**] [Priority: 0] {TCP} 10.0.0.19:63496 -> 10.0.0.17:3306

03/30-22:13:04.167633  [Drop] [**] [1:65000004:0] Block SQL Command : DROP
TABLE [**] [Priority: 0] {TCP} 10.100.64.8:63496 -> 10.7.159.14:3306



---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: