[Snort-sigs] testing snort signature with uri content

MD B Zaman L mdbzaman.l at ...2420...
Sat Feb 16 05:10:14 EST 2008


Greetings,

     I installed snort on another machine with the same configuration .
     And it was working fine. Necessary alerts are generated...

    Thanks All, for providing suggestions to solve the proble.


 regards
zaman

On Feb 14, 2008 10:26 AM, Matthew Watchinski <mwatchinski at ...435...>
wrote:

> Are you generating your test traffic from the same system running snort?
>
> If so you might want to try the following:
>
> If you run tcpdump -i <interface> -nvvvv | egrep -i (bad|invalid)
>
> Do you see anything?
>
> If so you'll need to run snort with "-k none" for your testing which
> turns off validation of checksums.
>
> -matt
>
> MD B Zaman L wrote:
> > On Thu, Feb 14, 2008 at 4:17 AM, Jamie Riden <jamie.riden at ...2420...>
> wrote:
> >
> >> Just as a sanity check, have you verified that the sensor is seeing
> >> the appropriate packets? (ngrep or tcpdump will do).
> >
> >
> >
> >     Ya , I have verified with ethereal and it is generating the matching
> > packets.
> >    Also , snort is working fine with other signatures like ICMP ping and
> > content
> >   matching for other ports like 53.
> >   I am only facing the problem with port 80. Even If i replace
> uricontent
> >   with content , it does not work
> >
> >   regards
> >  zaman
> >
> >>
> >>
> >>
> >> On 14/02/2008, MD B Zaman L <mdbzaman.l at ...2420...> wrote:
> >>> Greetings  Esler,
> >>>
> >>>         The following are the entries in snort.conf
> >>>
> >>>       var HOME_NET 172.16.16.251
> >>>       var EXTERNAL_NET any
> >>>       var HTTP_SERVERS $HOME_NET
> >>>       portvar HTTP_PORTS [80,443]
> >>>
> >>>   The HTTP server is running on 172.16.16.251
> >>>
> >>>    I also  modified the snort signature to
> >>>
> >>>   alert tcp  any any -> any any   (msg:"uri content testing successful
> >> ";
> >>> flow:to_server,established;
> >>>   uricontent:"/server-info";  sid:1000007; )
> >>>
> >>>   But still it is not firing the alert .
> >>>
> >>>
> >>>    regards
> >>>    zaman
> >>>
> >>>
> >>>
> >>>
> >>> On Wed, Feb 13, 2008 at 9:34 AM, Joel Esler <joel.esler at ...435...
> >
> >>> wrote:
> >>>
> >>>> I would first look at your directional statements.  How do you have
> >>> $HTTP_SERVERS configured?  It is pointing towards $HOME_NET?  Is your
> >>> $HOME_NET filled in?
> >>>>
> >>>> How about $EXTERNAL_NET?  How is that variable configured?
> >>>>
> >>>>
> >>>> J
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Feb 13, 2008, at 5:49 AM, MD B Zaman L wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Greetings All,
> >>>>
> >>>>          I am a new user of snort . I am finding some difficulty in
> >> using
> >>> the snort signatures with uri content.
> >>>>         I have created my own snort signature as follows to test for
> >> uri
> >>> content.
> >>>>        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri
> >> content
> >>> testing successful "; flow:to_server,established;
> >> uricontent:"/server-info";
> >>>>        sid:1000007; )
> >>>>
> >>>>
> >>>>      After that I tried to access the webpage
> >>> http://<http_server>/server-info  and verified with
> >>> ethereal whether the content /server-info  is generated or not.
> >>>>      Ethereal was showing that the content was generated.
> >>>>
> >>>>      But no alert was fired for the  above written signature .
> >>>>
> >>>>      Please clarify me how to test signatures with uri content.
> >>>>
> >>>>      Snort is working fine as I have checked with other signatures
> >> with no
> >>> uricontent.
> >>>>        With Thanks in Advance
> >>>>
> >>>>     regards
> >>>>     zaman
> >> --
> >> Jamie Riden / jamesr at ...3216... / jamie at ...3294...
> >> UK Honeynet Project: http://www.ukhoneynet.org/
> >>
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080216/88117910/attachment.html>


More information about the Snort-sigs mailing list