[Snort-users] Alerts generated but no packets logged for URI Content rule

Snort User snortman009 at ...11827...
Wed Jun 27 00:37:08 EDT 2012


Running version 2.9.2.3 on Ubuntu Server 12.04

snort.conf file is almost identical to the file that comes with the source
download. I only commented out the reputation section.

The command line to launch snort is as follows:
snort -c snort.conf -l /var/log/snort -A full -i eth1

The rule I am using is as follows:
alert tcp any any -> any 80 (msg:"Electronics URI Content
Detected";uricontent:"electronics";nocase;stream_reassemble:enable,both;sid:500200;)
5 Alerts are generated from the attached pcap file and look like the
following:
[**] [1:500200:0] Electronics URI Content Detected [**]
[Priority: 0]
06/27-00:07:42.602532 10.0.77.140:3809 -> 66.211.181.161:80
TCP TTL:103 TOS:0x20 ID:24622 IpLen:20 DgmLen:1149 DF
***A**** Seq: 0xAC93418A  Ack: 0x2A8B224C  Win: 0xF653  TcpLen: 20

The snort log file is created but is never filled with the packets
associated with the alerts.

Can anyone provide assistance?

Thank you.

Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120627/2cac7a9b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: electronics.pcap
Type: application/octet-stream
Size: 148559 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120627/2cac7a9b/attachment.obj>


More information about the Snort-users mailing list