[Snort-sigs] Problems using flow quantifier
research at ...4016...
Thu Mar 5 14:41:33 EST 2015
On Mar 5, 2015, at 2:25 PM, lists at ...3397... wrote:
> On 03/05/2015 12:48 PM, Research wrote:
>> sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
>> I am wondering what I am doing incorrectly ?
> A very well formed, respectful, asked question -- thank you for that. Add '-k
> none' do reply if this does or does not fix it. I am happy to help.
> Nathan Fowler
Thank you for your response.
I modified the command line with the -k none argument as you suggested:
sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -k none -D
…and then tested the rule and successfully received an alert in alerts.log!
I iterated on the rule and made it a bit more specific:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
(msg:"Web crawl attempt: robots.txt"; flow:established,to_server; content:"/robots.txt"; sid:10000002; rev:002;)
…and am happy to say that this was successful as well. It managed to pick up the Bing bot spidering my site.
I checked the man page for the -k argument and note that the -k none option does the following:
"None turns off the entire checksum verification subsystem.”
Out of curiosity, why was that causing problems ? My web server is on a cloud instance - are the virtualized NIC’s not able to calculate checksums correctly and were interfering with rule detection (i.e.: Snort was seeing an invalid checksum and discarding the packet instead of running the rule on it) ?
More information about the Snort-sigs