[Snort-users] question for snort flow established
wkitty42 at ...14940...
Mon Mar 18 10:48:35 EDT 2013
On 3/17/2013 22:51, zhaojunling_20 wrote:
> Dear All,
> Do anyone help me with this topic. :(
first: it was the weekend... not many folks are available at their business to
get these emails on the weekend...
second: please give folks time to get to where they can read the thread and
formulate a post /if/ they have anything to offer...
"established" means that a proper three-way handshake has taken place and the
TCP connection is good...
what does a pcap of that specific traffic flow show? the whole stream from the
initial syn to the final tear down of the connection... you'll need something
other than snort to capture this... tcpdump or wireshark...
> At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 at ...7427...> wrote:
> Dear All,
> By the way if I comment keyword "_established"_, the rule workes. And I
> attached snort.conf and output when I running
> snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>.
> version of snort is snort Version 188.8.131.52 GRE
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
> installation request"; content:"Zango/Setup.exe";flow:
> classtype:policy-violation; sid:10000019; rev:3;)
> At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 at ...7427...
> <mailto:zhaojunling_2000 at ...7427...>> wrote:
> Dear friends,
> # List of web servers on your network
> ipvar HTTP_SERVERS 10.2.11.2/24
> # List of ports you run web servers on
> portvar HTTP_PORTS
> At 2013-03-17 04:00:21,"waldo kitty" <wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>> wrote:
> >On 3/16/2013 10:10, zhaojunling_20 wrote:
> >> Dear All,
> >> I have a little question, if I installed snort on my web server<ipaddress
> >> 10.2.11.2> which has only one ethernet interface and snort inspect the
> >> interface, does "flow with option established" work or not?
> >yes... it has to as several tens of thousands of rules use it ;)
> >> I have tested the below rule with
> >> ----http://10.2.11.2/test.php?user=Zango/Setup.exe, no alert arised.
> >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
> >what does your $HTTP_SERVERS and $HTTP_PORTS vars contain from your snort.conf??
> >> installation request"; content:"Zango/Setup.exe";flow: to_server,established;
> >> reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
> >> classtype:policy-violation; sid:10000019; rev:3;)
> >> appreciate your help~
More information about the Snort-users