[Snort-users] TCP packets detection problem ?

Antonio Eugenio Villar eugeniovillar at ...131...
Mon Apr 19 06:59:09 EDT 2004


I am having problems to use content in Snort 2.x.x.
These problems do not appear in snort 1.9.0. If you
want to try 1.9.0 to see if it works let me know. 



--- Michal Kowalski <x145 at ...3879...> wrote:
> Hello
> Here is my snort.conf:
> var HOME_NET any
> var EXTERNAL_NET any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> preprocessor frag2
> preprocessor stream4:
> detect_scans,disable_evasion_alerts
> preprocessor stream4_reassemble
> ruletype test1
> {
> type alert
> }
> 
> test1 tcp any any <> any any (content:"KaZaA";msg:
> "KAZAA TRAFFIC";)
> test1 tcp any any <> any any (msg: "ALL";)
> 
> So i want to detect KAZAA TCP traffic. But when i
> launch
> snort with such configuration:
> snort -D -d -A fast -c /usr/local/etc/snort.conf
> i receive in logs only ALL logs, while i'm using
> KAzaa client,
> morover in ALL logs there are many strings KaZaA
> for example:
> 
> [**] ALL [**]
> 04/19-08:18:04.861058 64.14.61.77:1439 ->
> 10.0.3.11:4164
> TCP TTL:51 TOS:0x0 ID:9116 IpLen:20 DgmLen:222 DF
> ***AP*** Seq: 0xA6E23B76  Ack: 0xEEA015A8  Win:
> 0x1920  TcpLen: 20
> 48 54 54 50 2F 31 2E 30 20 35 30 33 20 53 65 72 
> HTTP/1.0 503 Ser
> 76 69 63 65 20 55 6E 61 76 61 69 6C 61 62 6C 65 
> vice Unavailable
> 0D 0A 52 65 74 72 79 2D 41 66 74 65 72 3A 20 33 
> ..Retry-After: 3
> 30 30 0D 0A 58 2D 4B 61 7A 61 61 2D 55 73 65 72 
> 00..X-Kazaa-User
> 6E 61 6D 65 3A 20 41 6D 69 73 73 61 6E 6E 32 54 
> name: Amissann2T
> 4D 4F 0D 0A 58 2D 4B 61 7A 61 61 2D 4E 65 74 77 
> MO..X-Kazaa-Netw
> 6F 72 6B 3A 20 4B 61 5A 61 41 0D 0A 58 2D 4B 61 
> ork: KaZaA..X-Ka
> 
> So why snort can not detect this traffic ?
> Interesting thing is if write on irc word KaZaA it's
> detected
> properly.
> 
> Could anybody help ?
> Thanx
> Michal
> 
> 
> ----------------------------------------------------
> Balet Kremlowski! Bogactwo dekoracji, 70
> profesjonalnych tancerzy, 
> ponad 100 strojów od Nina Ricci. Sprawd¼ w swoim
> mie¶cie!
>
http://klik.wp.pl/?adr=http%3A%2F%2Fwiadomosci.wp.pl%2Fwiadomosc.html%3Fwid%3D5131093&sid=162
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux
> Tutorials
> Free Linux tutorial presented by Daniel Robbins,
> President and CEO of
> GenToo technologies. Learn everything from
> fundamentals to system
>
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users



	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash




More information about the Snort-users mailing list