[Snort-users] Having trouble firing certain rules

Robert Parker robertmparker at ...11827...
Mon Sep 24 12:34:32 EDT 2012


So I just installed snort yesterday, and I'm having trouble getting it
to fully work.  It will fire one of my rules, but not the other ones.
I'm not sure what the problem is, I verified that snort was receiving
all the packets, and the rules look fine.

Setup:
Two Ubuntu 12.04 VMs running in VirtualBox, and configured over a
local network.  The box with snort is 192.168.1.3, and the other one
is 192.168.1.2.

Command used to run snort:
sudo snort -u snort -c /etc/snort/snort.conf -i eth1 -v --alert-before-pass

My rules:
alert tcp any any -> any any (pcre:"/\d{3}-\d{2}-\d{4}/"; msg:"SSN
Traffic"; sid:7000003;)
alert tcp any any -> any any (content:"helloworld"; msg:"Hello World
in TCP"; sid:7000002;)
alert ip any any -> 192.168.1.3 any (msg:"Traffic to this computer";
sid:7000005;)
alert ip any any -> 192.168.1.2 any (msg:"Traffic to other computer";
sid:7000006;)

Please only look at the last two rules for the moment.  Whenever there
are packets sent back and forth between the two computers, both rules
should be fired.  I am using wget to make an HTTP request from the
192.168.1.2 computer to try and trigger the rule.

So the expected result is that the last two rules should both cause
alerts, but I am only seeing alert messages for "Traffic to this
computer".  Snort is being run in verbose mode, and it is printing out
the packets it is receiving.  Snort is printing out traffic going both
ways, so it doesn't seem to be a data acquisition problem.

Installation method:
http://openmaniak.com/snort_tutorial_snort.php
I followed this guide using the apt-get method, so my version is
probably not the latest

robert at ...15841...:~$ snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4


Any help you can give would be greatly appreciated.  I dreamed about
snort last night!

Robert Parker
RobertMParker at ...11827..., rparker at ...15842...




More information about the Snort-users mailing list