[Snort-users] TCP packets detection problem ?

Michal Kowalski x145 at ...3879...
Sun Apr 18 23:23:01 EDT 2004


Hello
Here is my snort.conf:
var HOME_NET any
var EXTERNAL_NET any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
preprocessor frag2
preprocessor stream4: detect_scans,disable_evasion_alerts
preprocessor stream4_reassemble
ruletype test1
{
type alert
}

test1 tcp any any <> any any (content:"KaZaA";msg: "KAZAA TRAFFIC";)
test1 tcp any any <> any any (msg: "ALL";)

So i want to detect KAZAA TCP traffic. But when i launch
snort with such configuration:
snort -D -d -A fast -c /usr/local/etc/snort.conf
i receive in logs only ALL logs, while i'm using KAzaa client,
morover in ALL logs there are many strings KaZaA
for example:

[**] ALL [**]
04/19-08:18:04.861058 64.14.61.77:1439 -> 10.0.3.11:4164
TCP TTL:51 TOS:0x0 ID:9116 IpLen:20 DgmLen:222 DF
***AP*** Seq: 0xA6E23B76  Ack: 0xEEA015A8  Win: 0x1920  TcpLen: 20
48 54 54 50 2F 31 2E 30 20 35 30 33 20 53 65 72  HTTP/1.0 503 Ser
76 69 63 65 20 55 6E 61 76 61 69 6C 61 62 6C 65  vice Unavailable
0D 0A 52 65 74 72 79 2D 41 66 74 65 72 3A 20 33  ..Retry-After: 3
30 30 0D 0A 58 2D 4B 61 7A 61 61 2D 55 73 65 72  00..X-Kazaa-User
6E 61 6D 65 3A 20 41 6D 69 73 73 61 6E 6E 32 54  name: Amissann2T
4D 4F 0D 0A 58 2D 4B 61 7A 61 61 2D 4E 65 74 77  MO..X-Kazaa-Netw
6F 72 6B 3A 20 4B 61 5A 61 41 0D 0A 58 2D 4B 61  ork: KaZaA..X-Ka

So why snort can not detect this traffic ?
Interesting thing is if write on irc word KaZaA it's detected
properly.

Could anybody help ?
Thanx
Michal


----------------------------------------------------
Balet Kremlowski! Bogactwo dekoracji, 70 profesjonalnych tancerzy, 
ponad 100 strojów od Nina Ricci. Sprawdź w swoim mieście!
http://klik.wp.pl/?adr=http%3A%2F%2Fwiadomosci.wp.pl%2Fwiadomosc.html%3Fwid%3D5131093&sid=162






More information about the Snort-users mailing list