[Snort-sigs] Problems using flow quantifier

Research research at ...4016...
Thu Mar 5 14:41:33 EST 2015


On Mar 5, 2015, at 2:25 PM, lists at ...3397... wrote:

> On 03/05/2015 12:48 PM, Research wrote:
>> 	sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
>> 
>> I am wondering what I am doing incorrectly ?
> 
> A very well formed, respectful, asked question -- thank you for that.  Add '-k
> none' do reply if this does or does not fix it.  I am happy to help.
> 
> Cheers,
> Nathan Fowler

Hi Nathan,

Thank you for your response.

I modified the command line with the -k none argument as you suggested:

	sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -k none -D

…and then tested the rule and successfully received an alert in alerts.log!

I iterated on the rule and made it a bit more specific:

	alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
        	(msg:"Web crawl attempt: robots.txt"; flow:established,to_server; content:"/robots.txt"; sid:10000002; rev:002;)

…and am happy to say that this was successful as well.  It managed to pick up the Bing bot spidering my site.

I checked the man page for the -k argument and note that the -k none option does the following:

	"None turns off the entire checksum verification subsystem.”

Out of curiosity, why was that causing problems ?  My web server is on a cloud instance - are the virtualized NIC’s not able to calculate checksums correctly and were interfering with rule detection (i.e.: Snort was seeing an invalid checksum and discarding the packet instead of running the rule on it) ?

Thank you.


	



More information about the Snort-sigs mailing list