[Snort-sigs] how can we alert on web visiting activity?

Matt Olney molney at ...435...
Thu Nov 19 16:00:26 EST 2009


doh...you're right, thanks for the catch!

Matt

On Thu, Nov 19, 2009 at 3:56 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> You may want to peek at the manual again.  You turned off logging, not
> checksum checking.
>
> -k <mode>   Checksum mode (all,noip,notcp,noudp,noicmp,none)
> -K <mode>   Logging mode (pcap[default],ascii,none)
>
> -evilghost
>
> mary andrews wrote:
>> I tried it with the upper case K, still nothing.
>>
>> c:\snort\bin\snort -A console -i 2 -c c:\snort\etc\snort.conf -l
>> c:\snort\log -K none -s
>>
>>
>>
>> On Thu, Nov 19, 2009 at 3:13 PM, Joel Esler <jesler at ...435...> wrote:
>>
>>
>>> Well, I don't know anything about the flowbits problem you are talking
>>> about.
>>>
>>> But I did ask an email'ed questions to devel about the functionality of
>>> rawbytes since there may be some misunderstanding.
>>>
>>> But I wasn't provided any pcaps or anything of problems...
>>>
>>> J
>>>
>>>
>>> On Thu, Nov 19, 2009 at 2:25 PM, evilghost at ...3397... <
>>> evilghost at ...3397...> wrote:
>>>
>>>
>>>> It was effectively communicated to Joel Esler who forwarded it to SF
>>>> development.  Flowbits are borked too by the way.
>>>>
>>>> Nigel Houghton wrote:
>>>>
>>>>> On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
>>>>> <evilghost at ...3397...> wrote:
>>>>>
>>>>>
>>>>>> What version of Snort are you using?  I have had issues with content
>>>>>> matching working correctly in the 2.8 branch (as have others at
>>>>>>
>>>> Emerging
>>>>
>>>>>> Threats), I was able to get content matching to work as expected by
>>>>>> using the rawbytes option.  See section 3.5.3 in the Snort manual.
>>>>>>
>>>>>> content:"ebay"; nocase; rawbytes;
>>>>>>
>>>>>> -evilghost
>>>>>>
>>>>>>
>>>>> If you have evidence to support your claim, we would like to see it. A
>>>>> bug report would be good, until then, please refrain from giving
>>>>> "advice" like this. Your recommendation is detrimental to performance.
>>>>>
>>>>>
>>>>>
>>>> ------------------------------------------------------------------------------
>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>>> 30-Day
>>>> trial. Simplify your report design, integration and deployment - and focus
>>>> on
>>>> what you do best, core application coding. Discover what's new with
>>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>>
>>>
>>> --
>>> Joel Esler | 302-223-5974 | gtalk: jesler at ...435...
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>>> trial. Simplify your report design, integration and deployment - and focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>>
>>
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list