[Snort-users] New in using snort by some troubles

Joel Esler jesler at ...1935...
Sun Apr 25 09:31:00 EDT 2010


Are you trying to detect this on the same box that you are generating the traffic on?  Try adding -k none to your command line. 

--
Sent from my iPad
AIM: eslerjoel

On Apr 24, 2010, at 10:00 PM, supercodeing35271 supercodeing35271 <supercodeing35271 at ...11827...> wrote:

> Hi,i have some troubles in snort.The situation is that i want to test
> whether snort can detect the SQL injection attack to my website,so i
> need to catch the http form datas send to my website server which is
> the tomcat.
> the rule file is just below,
> myrule.rules:
> include /home/my/mysnort/myrule/classification.config
> preprocessor stream5_global: \
>    max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no
> 
> preprocessor stream5_tcp: \
>    policy first, use_static_footprint_sizes
> 
> preprocessor stream5_udp: \
>    ignore_any_rules
> 
> 
> preprocessor http_inspect: \
>    global iis_unicode_map unicode.map 1252
> 
> preprocessor http_inspect_server: \
>    server default profile all ports { 80 }
> 
> 
> alert tcp any any -> any any (msg:"SQL Injection - Paranoid";
> flow:to_server,established;uricontent:".jsp";content:"jjjjjjjjjj";classtype:Web-application-attack;
> sid:39099;)
> Ok,now open the snort:
> sudo snort -i lo -l ./log -c /home/my/mysnort/myrule/myrule.rules
> the snort is running,just there is a message says that "Not Using
> PCAP_FRAMES",i don't konw what this meanning about.
> Now open the eclipse,run the tomcat,then run my website program in
> eclipse.In default.jsp page,there is a form submit which just as a
> login function,now i put the username "jjjjj" and password "jjjjj",and
> click the submit button,the login datas must be send to tomcat for a
> handle.
> If everything is OK,in the alert file i should see the "SQL Injection
> - Paranoid",but in the file i only see a lot of "Bad Traffic Same
> Src/Dst".
> 
> 
> now what should i do?As a new player with snort it seems that i have
> several wrong places,but exactly i don't know where is the wrong place
> at.
> So please give me a help,thanks!
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list