[Snort-sigs] how can we alert on web visiting activity?

mary andrews maryandrews22 at ...2420...
Thu Nov 19 16:10:03 EST 2009


got it, thats what it was, it worked!!!!!

Many, MANY THANKS!
m

On Thu, Nov 19, 2009 at 3:56 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> You may want to peek at the manual again.  You turned off logging, not
> checksum checking.
>
> -k <mode>   Checksum mode (all,noip,notcp,noudp,noicmp,none)
> -K <mode>   Logging mode (pcap[default],ascii,none)
>
> -evilghost
>
> mary andrews wrote:
> > I tried it with the upper case K, still nothing.
> >
> > c:\snort\bin\snort -A console -i 2 -c c:\snort\etc\snort.conf -l
> > c:\snort\log -K none -s
> >
> >
> >
> > On Thu, Nov 19, 2009 at 3:13 PM, Joel Esler <jesler at ...435...>
> wrote:
> >
> >
> >> Well, I don't know anything about the flowbits problem you are talking
> >> about.
> >>
> >> But I did ask an email'ed questions to devel about the functionality of
> >> rawbytes since there may be some misunderstanding.
> >>
> >> But I wasn't provided any pcaps or anything of problems...
> >>
> >> J
> >>
> >>
> >> On Thu, Nov 19, 2009 at 2:25 PM, evilghost at ...3397... <
> >> evilghost at ...3397...> wrote:
> >>
> >>
> >>> It was effectively communicated to Joel Esler who forwarded it to SF
> >>> development.  Flowbits are borked too by the way.
> >>>
> >>> Nigel Houghton wrote:
> >>>
> >>>> On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
> >>>> <evilghost at ...3397...> wrote:
> >>>>
> >>>>
> >>>>> What version of Snort are you using?  I have had issues with content
> >>>>> matching working correctly in the 2.8 branch (as have others at
> >>>>>
> >>> Emerging
> >>>
> >>>>> Threats), I was able to get content matching to work as expected by
> >>>>> using the rawbytes option.  See section 3.5.3 in the Snort manual.
> >>>>>
> >>>>> content:"ebay"; nocase; rawbytes;
> >>>>>
> >>>>> -evilghost
> >>>>>
> >>>>>
> >>>> If you have evidence to support your claim, we would like to see it. A
> >>>> bug report would be good, until then, please refrain from giving
> >>>> "advice" like this. Your recommendation is detrimental to performance.
> >>>>
> >>>>
> >>>>
> >>>
> ------------------------------------------------------------------------------
> >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> >>> 30-Day
> >>> trial. Simplify your report design, integration and deployment - and
> focus
> >>> on
> >>> what you do best, core application coding. Discover what's new with
> >>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> >>> _______________________________________________
> >>> Snort-sigs mailing list
> >>> Snort-sigs at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>>
> >>>
> >>
> >> --
> >> Joel Esler | 302-223-5974 | gtalk: jesler at ...435...
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> >> trial. Simplify your report design, integration and deployment - and
> focus
> >> on
> >> what you do best, core application coding. Discover what's new with
> >> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >>
> >
> >
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091119/61cc879e/attachment.html>


More information about the Snort-sigs mailing list