[Snort-users] Question about rules

Joel Esler jesler at ...1935...
Wed Jan 27 09:13:10 EST 2010


Am I reading it wrong, or does your rule look for test_rule, but your <h1>
tag on the page you created say "teste_rule"?

J

On Wed, Jan 27, 2010 at 8:40 AM, Ricardo Barbosa <
ricardobarbosams at ...6873...> wrote:

> hello rmkml
>
> tested with the parameter-k none, however it did not work
> the lib pcap installed but I noticed this in the logs that he does not use
> it. getting a "snort not using pcap frames. Do I need to use to snort pcap
> lib? Is this the cause of it not quite get the http payload. Because I
> changed the rule and how I am doing tests from the browser text links
> changed the content:"Links" and it worked. I put the word "Links" because
> it oque appears in the wireshark logs. How do I enable the lib pcap with
> snort?
>
> I thank.
>
> Regards,
>
> --- Em *qua, 27/1/10, rmkml <rmkml at ...953...>* escreveu:
>
>
> De: rmkml <rmkml at ...953...>
> Assunto: Re: [Snort-users] Question about rules
> Para: "Ricardo Barbosa" <ricardobarbosams at ...6873...>
> Cc: rmkml at ...953...
> Data: Quarta-feira, 27 de Janeiro de 2010, 7:46
>
> ok thx you,
> maybe you have a (network) pcap please?
> do you have tested adding "-k none" on cmd line start snort ?
> Regards
> Rmkml
>
>
> On Wed, 27 Jan 2010, Ricardo Barbosa wrote:
>
> > Hi rmkml
> >
> > answering questions
> >
> >> what snort version you test please?
> >
> > root at ...14740...:~# snort -V
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.8.4.1 (Build 38)
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/team.html
> >            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
> >            Using PCRE version: 7.8 2008-09-05
> >
> > root at ...14740...:~#
> >
> >
> >> Do you send your conf?
> >
> > /etc/snort/snort.debian.conf
> > DEBIAN_SNORT_STARTUP="boot"
> > DEBIAN_SNORT_HOME_NET="20.0.0.0/8"
> > DEBIAN_SNORT_OPTIONS=""
> > DEBIAN_SNORT_INTERFACE="eth0"
> > DEBIAN_SNORT_SEND_STATS="true"
> > DEBIAN_SNORT_STATS_RCPT="root"
> > DEBIAN_SNORT_STATS_THRESHOLD="1"
> > /etc/snort/snort.conf
> > var HOME_NET $eth0_ADDRESS
> > var EXTERNAL_NET any
> > var DNS_SERVERS $HOME_NET
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS $HOME_NET
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > portvar HTTP_PORTS 80
> > portvar SHELLCODE_PORTS !80
> > portvar ORACLE_PORTS 1521
> > var AIM_SERVERS
> > [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205..188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
> > var RULE_PATH /etc/snort/rules
> > var PREPROC_RULE_PATH /etc/snort/preproc_rules
> > dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
> > dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
> > preprocessor frag3_global: max_frags 65536
> > preprocessor frag3_engine: policy first detect_anomalies
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >                               track_udp no
> > preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> > preprocessor http_inspect: global \
> >     iis_unicode_map unicode.map 1252
> > preprocessor http_inspect_server: server default \
> >     profile all ports { 80 8080 8180 } oversize_dir_length 500
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> > preprocessor ftp_telnet: global \
> >    encrypted_traffic yes \
> >    inspection_type stateful
> > preprocessor ftp_telnet_protocol: telnet \
> >    normalize \
> >    ayt_attack_thresh 200
> > preprocessor ftp_telnet_protocol: ftp server default \
> >    def_max_param_len 100 \
> >    alt_max_param_len 200 { CWD } \
> >    cmd_validity MODE < char ASBCZ > \
> >    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> >    telnet_cmds yes \
> >    data_chan
> > preprocessor ftp_telnet_protocol: ftp client default \
> >    max_resp_len 256 \
> >    bounce yes \
> >    telnet_cmds yes
> > preprocessor smtp: \
> >   ports { 25 587 691 } \
> >   inspection_type stateful \
> >   normalize cmds \
> >   normalize_cmds { EXPN VRFY RCPT } \
> >   alt_max_command_line_len 260 { MAIL } \
> >   alt_max_command_line_len 300 { RCPT } \
> >   alt_max_command_line_len 500 { HELP HELO ETRN } \
> >   alt_max_command_line_len 255 { EXPN VRFY }
> > preprocessor sfportscan: proto  { all } \
> >                          memcap { 10000000 } \
> >                          sense_level { low }
> > preprocessor dcerpc2
> > preprocessor dcerpc2_server: default
> > preprocessor dns: \
> >     ports { 53 } \
> >     enable_rdata_overflow
> > preprocessor ssl: noinspect_encrypted, trustservers
> > output log_tcpdump: tcpdump.log
> > include classification.config
> > include reference.config
> > include $RULE_PATH/local.rules
> > include $RULE_PATH/bad-traffic.rules
> > include $RULE_PATH/exploit.rules
> > include $RULE_PATH/community-exploit.rules
> > include $RULE_PATH/scan.rules
> > include $RULE_PATH/finger.rules
> > include $RULE_PATH/ftp.rules
> > include $RULE_PATH/telnet.rules
> > include $RULE_PATH/rpc.rules
> > include $RULE_PATH/rservices.rules
> > include $RULE_PATH/dos.rules
> > include $RULE_PATH/community-dos.rules
> > include $RULE_PATH/ddos.rules
> > include $RULE_PATH/dns.rules
> > include $RULE_PATH/tftp.rules
> > include $RULE_PATH/web-cgi.rules
> > include $RULE_PATH/web-coldfusion.rules
> > include $RULE_PATH/web-iis.rules
> > include $RULE_PATH/web-frontpage.rules
> > include $RULE_PATH/web-misc.rules
> > include $RULE_PATH/web-client.rules
> > include $RULE_PATH/web-php.rules
> > include $RULE_PATH/community-sql-injection.rules
> > include $RULE_PATH/community-web-client.rules
> > include $RULE_PATH/community-web-dos.rules
> > include $RULE_PATH/community-web-iis.rules
> > include $RULE_PATH/community-web-misc.rules
> > include $RULE_PATH/community-web-php.rules
> > include $RULE_PATH/sql.rules
> > include $RULE_PATH/x11.rules
> > include $RULE_PATH/icmp.rules
> > include $RULE_PATH/netbios.rules
> > include $RULE_PATH/misc.rules
> > include $RULE_PATH/attack-responses.rules
> > include $RULE_PATH/oracle.rules
> > include $RULE_PATH/community-oracle.rules
> > include $RULE_PATH/mysql.rules
> > include $RULE_PATH/snmp.rules
> > include $RULE_PATH/community-ftp.rules
> > include $RULE_PATH/smtp.rules
> > include $RULE_PATH/community-smtp.rules
> > include $RULE_PATH/imap.rules
> > include $RULE_PATH/community-imap.rules
> > include $RULE_PATH/pop2..rules
> > include $RULE_PATH/pop3.rules
> > include $RULE_PATH/nntp.rules
> > include $RULE_PATH/community-nntp.rules
> > include $RULE_PATH/community-sip.rules
> > include $RULE_PATH/other-ids.rules
> > include $RULE_PATH/web-attacks.rules
> > include $RULE_PATH/backdoor.rules
> > include $RULE_PATH/community-bot.rules
> > include $RULE_PATH/community-virus.rules
> > include $RULE_PATH/experimental.rules
> > include threshold.conf
> >
> >> snort cmd line starting please?
> >
> > /usr/sbin/snort -m 027 -D -d -v -l /var/log/snort -u snort -g snort
> > -c /etc/snort/snort.conf -S HOME_NET=[10.0.0.0/8] -i eth0
> >
> >> for example, maybe disable checksum with '-k none' on cmd line...
> >> you have created a html page (http reply server side), and you have
> >> created a snort rule on client (to server) side...
> >> Regards
> > In desperation, I tried the following rules
> >
> > alert tcp 10.0.0.0/8 80 -> any any (content:"teste rule"; msg:"TEST
> > HTTP"; sid:100000000;)
> > alert tcp any any <> any any (content:"teste rule"; msg:"TEST HTTP";
> > sid:100000000;)
> > alert tcp any any <> any any (content:"teste rule"; http_client_body;
> > msg:"TEST HTTP"; sid:100000000; depth:1000;)
> >
> > without sucess in all.
> >
> > no idea where i can be wrong or missing some pre-processador. I thank
> >
> > Regards.
> >
> >
> >
> >
> >
> ____________________________________________________________________________________
> > Veja quais são os assuntos do momento no Yahoo! +Buscados
> > http://br.maisbuscados.yahoo.com
>
>
> ------------------------------
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/>-
> Celebridades<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/>-
> Música<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/>-
> Esportes<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100127/1dbd8301/attachment.html>


More information about the Snort-users mailing list