[Snort-users] Packet Payload not appearing for internal traffic...

Grimes, Shawn (NIA/IRP) GrimesSh at ...3368...
Thu Oct 4 14:17:03 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems my snort is not viewing the packet payload of outboung
traffic. I have two rules setup to monitor for code red/nimba related
activity. One for attacks against us and another for us attacking
other sites (meaning we got infected somewhere). The incoming attacks
rule works great, the outgoing doesn't work at all. here are my
rules: 

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Cmd.exe attempt
against us"; content:"cmd.exe";nocase;)
alert tcp $HOME_NET any -> any 80 (msg:"Cmd.exe attempt from us";
content:"cmd.exe";nocase;)
Again, incoming works great, I can see every box that trys to access
cmd.exe on one of our local computers.
Outgoing however, if I type in a web address say:
http://www.google.com/cmd.exe . I don't get the alert I'm supposed
to. I set up a rule for:
alert tcp any any -> any any (msg: "Flood of traffic";) and I got
several allerts but when I went into the detailed view in Acid of the
alert, the packet payload was empty. Any ideas? 

TIA,
Shawn


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO7zRs9uEKqGIN9SBEQKoQgCeJ7yP9XfX1SPHf9KNljRU1zVlIBgAoL1A
rFP7KTSpYINqAxp+lLyld4CO
=1Vt/
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list