[Snort-sigs] Newbie knucklehead can't get a custom rule to alert

Matthew Watchinski mwatchinski at ...435...
Wed Jun 23 15:32:03 EDT 2004

Are you actually generating a real 3-way tcp handshake?  If you are just 
sending a single packet this won't work, as flow keys off established 


tony at ...2576... wrote:

>This seemed like a no-brainer but I can't get my rule to alert:
>In Ethereal I can capture packets and use the filter
> data contains evil_hacker_string
>and come up with several packets between 2 machines ( &
> (note: at this point I am generating the traffic) on a
>specific destination port(1801), the source port varies, as does the
>location of evil_hacker_string in the packet data.
>I have tried several variations of the following rule and none of them
>will trigger an alert, my basic snort setup works fine. I have tried
>putting this rule in local.rules and mycustom.rules with the appropriate
>include in snort.conf. I reload snortd (service snortd restart) and I
>believe it is reading the rule because I can crash snortd by messing up
>the syntax of the rule.
>alert tcp any -> 1801 (msg:"evil_hacker_string
>attempt"; flow:to_server,established; content:"evil_hacker_string";
>nocase; classtype:web-application-attack; sid:1009691; rev:1;)
>Any help would be appreciated.
>Things I've tried:
>using $HOME_NET instead of the addresses
>using any any
>using <> instead of ->
>every variation of flow including ommitting it
>using offset and/or depth
>changing the class-type
>changing the order of the msg, flow and content in the rule
>This SF.Net email sponsored by Black Hat Briefings & Training.
>Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
>digital self defense, top technical experts, no vendor pitches, 
>unmatched networking opportunities. Visit www.blackhat.com
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list