[Snort-sigs] Newbie knucklehead can't get a custom rule to alert

tony at ...2576... tony at ...2576...
Wed Jun 23 14:17:01 EDT 2004


This seemed like a no-brainer but I can't get my rule to alert:
In Ethereal I can capture packets and use the filter
 data contains evil_hacker_string
and come up with several packets between 2 machines (192.168.0.101 &
192.168.0.27) (note: at this point I am generating the traffic) on a
specific destination port(1801), the source port varies, as does the
location of evil_hacker_string in the packet data.

I have tried several variations of the following rule and none of them
will trigger an alert, my basic snort setup works fine. I have tried
putting this rule in local.rules and mycustom.rules with the appropriate
include in snort.conf. I reload snortd (service snortd restart) and I
believe it is reading the rule because I can crash snortd by messing up
the syntax of the rule.

alert tcp 192.168.0.101 any -> 192.168.0.27 1801 (msg:"evil_hacker_string
attempt"; flow:to_server,established; content:"evil_hacker_string";
nocase; classtype:web-application-attack; sid:1009691; rev:1;)

Any help would be appreciated.
Things I've tried:
using $HOME_NET instead of the addresses
using any any
using <> instead of ->
every variation of flow including ommitting it
using offset and/or depth
changing the class-type
changing the order of the msg, flow and content in the rule




More information about the Snort-sigs mailing list