[Snort-sigs] Newbie knucklehead can't get a custom rule to alert

tony at ...2576... tony at ...2576...
Wed Jun 23 15:43:11 EDT 2004


Yes I am, there are several packet that go through as part of a complete
request and response, I am interested in the one particular packet that
has "evil_hacker_string" in it.
Please note the things I've tried included changing and ommitting the flow
portion of the rule.

>>every variation of flow including ommitting it<<<<<-------

Thank you for responding,
-Tony
> Are you actually generating a real 3-way tcp handshake?  If you are just
> sending a single packet this won't work, as flow keys off established
> sessions
>
> Cheers,
> -matt
>
> tony at ...2576... wrote:
>
>>This seemed like a no-brainer but I can't get my rule to alert:
>>In Ethereal I can capture packets and use the filter
>> data contains evil_hacker_string
>>and come up with several packets between 2 machines (192.168.0.101 &
>>192.168.0.27) (note: at this point I am generating the traffic) on a
>>specific destination port(1801), the source port varies, as does the
>>location of evil_hacker_string in the packet data.
>>
>>I have tried several variations of the following rule and none of them
>>will trigger an alert, my basic snort setup works fine. I have tried
>>putting this rule in local.rules and mycustom.rules with the appropriate
>>include in snort.conf. I reload snortd (service snortd restart) and I
>>believe it is reading the rule because I can crash snortd by messing up
>>the syntax of the rule.
>>
>>alert tcp 192.168.0.101 any -> 192.168.0.27 1801 (msg:"evil_hacker_string
>>attempt"; flow:to_server,established; content:"evil_hacker_string";
>>nocase; classtype:web-application-attack; sid:1009691; rev:1;)
>>
>>Any help would be appreciated.
>>Things I've tried:
>>using $HOME_NET instead of the addresses
>>using any any
>>using <> instead of ->
>>every variation of flow including ommitting it<<<<<-------
>>using offset and/or depth
>>changing the class-type
>>changing the order of the msg, flow and content in the rule
>>
>>
>>-------------------------------------------------------
>>This SF.Net email sponsored by Black Hat Briefings & Training.
>>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>>digital self defense, top technical experts, no vendor pitches,
>>unmatched networking opportunities. Visit www.blackhat.com
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>>
>
>





More information about the Snort-sigs mailing list