[Snort-users] question for snort flow established

zhaojunling_20 zhaojunling_2000 at ...7427...
Sat Mar 16 23:03:33 EDT 2013


Dear All,


By the way if I comment keyword "established", the rule workes. And I attached snort.conf and output when I running snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>. version of snort is snort Version 2.9.4.1 GRE


#########
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware installation request"; content:"Zango/Setup.exe";flow: to_server,established; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:10000019; rev:3;)




At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 at ...7427...> wrote:

Dear friends,


FYI
# List of web servers on your network
ipvar HTTP_SERVERS 10.2.11.2/24


# List of ports you run web servers on
portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]



At 2013-03-17 04:00:21,"waldo kitty" <wkitty42 at ...14940...> wrote:
>On 3/16/2013 10:10, zhaojunling_20 wrote:
>> Dear All,
>>
>> I have a little question, if I installed snort on my web server<ipaddress
>> 10.2.11.2> which has only one ethernet interface and snort inspect the
>> interface, does "flow with option established" work or not?
>
>yes... it has to as several tens of thousands of rules use it ;)
>
>> I have tested the below rule with
>> ----http://10.2.11.2/test.php?user=Zango/Setup.exe, no alert arised.
>> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
>
>what does your $HTTP_SERVERS and $HTTP_PORTS vars contain from your snort.conf??
>
>> installation request"; content:"Zango/Setup.exe";flow: to_server,established;
>> reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>> classtype:policy-violation; sid:10000019; rev:3;)
>> appreciate your help~
>
>
>------------------------------------------------------------------------------
>Everyone hates slow websites. So do we.
>Make your web apps faster with AppDynamics
>Download AppDynamics Lite for free today:
>http://p.sf.net/sfu/appdyn_d2d_mar
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130317/fbd3b0b1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug
Type: application/octet-stream
Size: 29238 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130317/fbd3b0b1/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27012 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130317/fbd3b0b1/attachment-0001.obj>


More information about the Snort-users mailing list