[Snort-users] TCP packets detection problem ?

Josh Berry josh.berry at ...10221...
Mon Apr 19 07:23:07 EDT 2004


If the rule is actually typed in: KaZaA and the content in the traffic is:
Kazaa, that is your problem.  You have not specified in your rule nocase. 
Without specifying nocase, all of the content searches are case sensitive.
 Either put nocase; somewhere after the content specification or type in
the correct case.


> Hello
> Here is my snort.conf:
> var HOME_NET any
> var EXTERNAL_NET any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> preprocessor frag2
> preprocessor stream4: detect_scans,disable_evasion_alerts
> preprocessor stream4_reassemble
> ruletype test1
> {
> type alert
> }
>
> test1 tcp any any <> any any (content:"KaZaA";msg: "KAZAA TRAFFIC";)
> test1 tcp any any <> any any (msg: "ALL";)
>
> So i want to detect KAZAA TCP traffic. But when i launch
> snort with such configuration:
> snort -D -d -A fast -c /usr/local/etc/snort.conf
> i receive in logs only ALL logs, while i'm using KAzaa client,
> morover in ALL logs there are many strings KaZaA
> for example:
>
> [**] ALL [**]
> 04/19-08:18:04.861058 64.14.61.77:1439 -> 10.0.3.11:4164
> TCP TTL:51 TOS:0x0 ID:9116 IpLen:20 DgmLen:222 DF
> ***AP*** Seq: 0xA6E23B76  Ack: 0xEEA015A8  Win: 0x1920  TcpLen: 20
> 48 54 54 50 2F 31 2E 30 20 35 30 33 20 53 65 72  HTTP/1.0 503 Ser
> 76 69 63 65 20 55 6E 61 76 61 69 6C 61 62 6C 65  vice Unavailable
> 0D 0A 52 65 74 72 79 2D 41 66 74 65 72 3A 20 33  ..Retry-After: 3
> 30 30 0D 0A 58 2D 4B 61 7A 61 61 2D 55 73 65 72  00..X-Kazaa-User
> 6E 61 6D 65 3A 20 41 6D 69 73 73 61 6E 6E 32 54  name: Amissann2T
> 4D 4F 0D 0A 58 2D 4B 61 7A 61 61 2D 4E 65 74 77  MO..X-Kazaa-Netw
> 6F 72 6B 3A 20 4B 61 5A 61 41 0D 0A 58 2D 4B 61  ork: KaZaA..X-Ka
>
> So why snort can not detect this traffic ?
> Interesting thing is if write on irc word KaZaA it's detected
> properly.
>
> Could anybody help ?
> Thanx
> Michal
>
>
> ----------------------------------------------------
> Balet Kremlowski! Bogactwo dekoracji, 70 profesjonalnych tancerzy,
> ponad 100 strojów od Nina Ricci. Sprawd¼ w swoim mie¶cie!
> http://klik.wp.pl/?adr=http%3A%2F%2Fwiadomosci.wp.pl%2Fwiadomosc.html%3Fwid%3D5131093&sid=162
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list