[Snort-users] packet logging

Matt Kettler mkettler at ...4108...
Wed Jul 23 07:00:18 EDT 2003

At 03:07 PM 7/23/2003 +0800, cc wrote:
>I'm just testing snort right now and was wondering if someone
>could tell me if the following rule is wrong:
>alert tcp any any -> $LAN any ( content: "GET /banner/"; \
>                                 msg: "banner test";)
>It's in the myrules.rules file and is included in the
>snort.conf file.
>If a user from a workstation goes to a website and the
>website sends a banner, shouldn't there be a log?

No, becaause the GET command will go FROM the lan not TO it.

You would want:

alert tcp $LAN any -> any any ( content: "GET /banner/"; \
                  msg: "banner test";)

Or for efficiency of not checking _EVERY_ tcp packet only check useful ones 
going to a normal http server:

alert tcp $LAN any -> any 80 ( content: "GET /banner/"; flags:A+; \
                  msg: "banner test";)

More information about the Snort-users mailing list