[Snort-users] New in using snort by some troubles

supercodeing35271 supercodeing35271 supercodeing35271 at ...11827...
Sun Apr 25 01:00:02 EDT 2010


Hi,i have some troubles in snort.The situation is that i want to test
whether snort can detect the SQL injection attack to my website,so i
need to catch the http form datas send to my website server which is
the tomcat.
the rule file is just below,
myrule.rules:
include /home/my/mysnort/myrule/classification.config
preprocessor stream5_global: \
    max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no

preprocessor stream5_tcp: \
    policy first, use_static_footprint_sizes

preprocessor stream5_udp: \
    ignore_any_rules


preprocessor http_inspect: \
    global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: \
    server default profile all ports { 80 }


alert tcp any any -> any any (msg:"SQL Injection - Paranoid";
flow:to_server,established;uricontent:".jsp";content:"jjjjjjjjjj";classtype:Web-application-attack;
sid:39099;)
Ok,now open the snort:
sudo snort -i lo -l ./log -c /home/my/mysnort/myrule/myrule.rules
the snort is running,just there is a message says that "Not Using
PCAP_FRAMES",i don't konw what this meanning about.
Now open the eclipse,run the tomcat,then run my website program in
eclipse.In default.jsp page,there is a form submit which just as a
login function,now i put the username "jjjjj" and password "jjjjj",and
click the submit button,the login datas must be send to tomcat for a
handle.
If everything is OK,in the alert file i should see the "SQL Injection
- Paranoid",but in the file i only see a lot of "Bad Traffic Same
Src/Dst".


now what should i do?As a new player with snort it seems that i have
several wrong places,but exactly i don't know where is the wrong place
at.
So please give me a help,thanks!




More information about the Snort-users mailing list