[Snort-sigs] how can we alert on web visiting activity?

Eoin Miller eoin.miller at ...3415...
Thu Nov 19 16:42:15 EST 2009


This has bit us in the rear as well. Adding the following lines to your 
snort.conf file will also act the same as using the "-k" option. Here is 
a section of our snort.conf related to this:

---snip---
#
# Dont drop stuff because of the checksum (snort -k)
#
config checksum_mode: none
---snip---

I am sure there is a great reason to allow packets to be ignored due to 
bad checksums, but having this be default behavior can cause some issues 
for users. I guess in theory the network devices/clients/servers should 
be disregarding the packets due to the bad checksums?

-- Eoin

mary andrews wrote:
> got it, thats what it was, it worked!!!!!
>  
> Many, MANY THANKS!
> m
>
> On Thu, Nov 19, 2009 at 3:56 PM, evilghost at ...3397... 
> <mailto:evilghost at ...3397...> <evilghost at ...3397... 
> <mailto:evilghost at ...3397...>> wrote:
>
>     You may want to peek at the manual again.  You turned off logging, not
>     checksum checking.
>
>     -k <mode>   Checksum mode (all,noip,notcp,noudp,noicmp,none)
>     -K <mode>   Logging mode (pcap[default],ascii,none)
>
>     -evilghost
>
>     mary andrews wrote:
>     > I tried it with the upper case K, still nothing.
>     >
>     > c:\snort\bin\snort -A console -i 2 -c c:\snort\etc\snort.conf -l
>     > c:\snort\log -K none -s
>     >
>     >
>     >
>     > On Thu, Nov 19, 2009 at 3:13 PM, Joel Esler
>     <jesler at ...435... <mailto:jesler at ...435...>> wrote:
>     >
>     >
>     >> Well, I don't know anything about the flowbits problem you are
>     talking
>     >> about.
>     >>
>     >> But I did ask an email'ed questions to devel about the
>     functionality of
>     >> rawbytes since there may be some misunderstanding.
>     >>
>     >> But I wasn't provided any pcaps or anything of problems...
>     >>
>     >> J
>     >>
>     >>
>     >> On Thu, Nov 19, 2009 at 2:25 PM, evilghost at ...3397...
>     <mailto:evilghost at ...3397...> <
>     >> evilghost at ...3397... <mailto:evilghost at ...3397...>> wrote:
>     >>
>     >>
>     >>> It was effectively communicated to Joel Esler who forwarded it
>     to SF
>     >>> development.  Flowbits are borked too by the way.
>     >>>
>     >>> Nigel Houghton wrote:
>     >>>
>     >>>> On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
>     <mailto:evilghost at ...3397...>
>     >>>> <evilghost at ...3397... <mailto:evilghost at ...3397...>>
>     wrote:
>     >>>>
>     >>>>
>     >>>>> What version of Snort are you using?  I have had issues with
>     content
>     >>>>> matching working correctly in the 2.8 branch (as have others at
>     >>>>>
>     >>> Emerging
>     >>>
>     >>>>> Threats), I was able to get content matching to work as
>     expected by
>     >>>>> using the rawbytes option.  See section 3.5.3 in the Snort
>     manual.
>     >>>>>
>     >>>>> content:"ebay"; nocase; rawbytes;
>     >>>>>
>     >>>>> -evilghost
>     >>>>>
>     >>>>>
>     >>>> If you have evidence to support your claim, we would like to
>     see it. A
>     >>>> bug report would be good, until then, please refrain from giving
>     >>>> "advice" like this. Your recommendation is detrimental to
>     performance.
>     >>>>
>     >>>>
>     >>>>
>     >>>
>     ------------------------------------------------------------------------------
>     >>> Let Crystal Reports handle the reporting - Free Crystal
>     Reports 2008
>     >>> 30-Day
>     >>> trial. Simplify your report design, integration and deployment
>     - and focus
>     >>> on
>     >>> what you do best, core application coding. Discover what's new
>     with
>     >>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>     >>> _______________________________________________
>     >>> Snort-sigs mailing list
>     >>> Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     >>>
>     >>>
>     >>
>     >> --
>     >> Joel Esler | 302-223-5974 | gtalk: jesler at ...435...
>     <mailto:jesler at ...435...>
>     >>
>     >>
>     >>
>     ------------------------------------------------------------------------------
>     >> Let Crystal Reports handle the reporting - Free Crystal Reports
>     2008 30-Day
>     >> trial. Simplify your report design, integration and deployment
>     - and focus
>     >> on
>     >> what you do best, core application coding. Discover what's new with
>     >> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>     >> _______________________________________________
>     >> Snort-sigs mailing list
>     >> Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>     >>
>     >>
>     >>
>     >
>     >
>
>     ------------------------------------------------------------------------------
>     Let Crystal Reports handle the reporting - Free Crystal Reports
>     2008 30-Day
>     trial. Simplify your report design, integration and deployment -
>     and focus on
>     what you do best, core application coding. Discover what's new with
>     Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>     _______________________________________________
>     Snort-sigs mailing list
>     Snort-sigs at lists.sourceforge.net
>     <mailto:Snort-sigs at lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   





More information about the Snort-sigs mailing list