[Snort-users] Rule works in replay file mode, but not when sniffing

Pavel Rantorski fhjull01 at ...15979...
Fri Jul 12 09:05:37 EDT 2013

I'm testing a rule that should (eventually) detect download/upload of specific file types from public HTTP servers. I could not get the rule to trigger, so I simplified it to:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test file download"; content:"Content-Disposition|3a|"; nocase; http_header; pcre:"/filename=/simH"; classtype:policy-violation; sid:1000004; rev:7;)

(the rule is nowhere near complete, it is simplified to be less prone to mistakes)

Unfortunatelly, the rule still does not work. I captured the traffic (on the same machine/interface that Snort was running) and verified that such packet is indeed there. When I let Snort analyze the traffic from this pcap file ('snort -A console -c /etc/snort/snort.conf -r /tmp/testdata5.pcap -l . -u snort'), the rule is fired on console correctly.

The rule is (in standard, sniffing mode) sometimes triggered as well (although never from this particular server I am testing).

What could be the cause of this? Snort is running in IDS mode (not inline) and is not dropping packets. LRO and GRO are disabled on network adapter. I have tried running Snort with '-k none' without any results.

I have attached small pcap sample of the traffic I'm trying to catch - this is enough to trigger the rule in replay mode, but didn't trigger when sniffing.

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130712/4a51c076/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testdata5.pcap
Type: application/octet-stream
Size: 4427 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130712/4a51c076/attachment.obj>

More information about the Snort-users mailing list