[Snort-users] question for snort flow established

waldo kitty wkitty42 at ...14940...
Mon Mar 18 10:48:35 EDT 2013


On 3/17/2013 22:51, zhaojunling_20 wrote:
> Dear All,
>
> Do anyone help me with this topic. :(

first: it was the weekend... not many folks are available at their business to 
get these emails on the weekend...

second: please give folks time to get to where they can read the thread and 
formulate a post /if/ they have anything to offer...


"established" means that a proper three-way handshake has taken place and the 
TCP connection is good...

what does a pcap of that specific traffic flow show? the whole stream from the 
initial syn to the final tear down of the connection... you'll need something 
other than snort to capture this... tcpdump or wireshark...


> At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 at ...7427...> wrote:
>
>     Dear All,
>
>     By the way if I comment keyword "_established"_, the rule workes. And I
>     attached snort.conf and output when I running
>     snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>.
>     version of snort is snort Version 2.9.4.1 GRE
>
>     #########
>     alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango adware
>     installation request"; content:"Zango/Setup.exe";flow:
>     to_server_,established_;
>     reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>     classtype:policy-violation; sid:10000019; rev:3;)
>
>
>
>     At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 at ...7427...
>     <mailto:zhaojunling_2000 at ...7427...>> wrote:
>
>         Dear friends,
>
>         FYI
>         # List of web servers on your network
>         ipvar HTTP_SERVERS 10.2.11.2/24
>
>         # List of ports you run web servers on
>         portvar HTTP_PORTS
>         [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
>
>
>         At  2013-03-17  04:00:21,"waldo  kitty"  <wkitty42 at ...14940...  <mailto:wkitty42 at ...14940...>>  wrote:
>         >On  3/16/2013  10:10,  zhaojunling_20  wrote:
>         >>  Dear  All,
>         >>
>         >>  I  have  a  little  question,  if  I  installed  snort  on  my  web  server<ipaddress
>         >>  10.2.11.2>  which  has  only  one  ethernet  interface  and  snort  inspect  the
>         >>  interface,  does  "flow  with  option  established"  work  or  not?
>         >
>         >yes...  it  has  to  as  several  tens  of  thousands  of  rules  use  it  ;)
>         >
>         >>  I  have  tested  the  below  rule  with
>         >>  ----http://10.2.11.2/test.php?user=Zango/Setup.exe,  no  alert  arised.
>         >>  alert  tcp  any  any  ->  $HTTP_SERVERS  $HTTP_PORTS  (msg:"WEB-CLIENT  Zango  adware
>         >
>         >what  does  your  $HTTP_SERVERS  and  $HTTP_PORTS  vars  contain  from  your  snort.conf??
>         >
>         >>  installation  request";  content:"Zango/Setup.exe";flow:  to_server,established;
>         >>  reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>         >>  classtype:policy-violation;  sid:10000019;  rev:3;)
>         >>  appreciate  your  help~






More information about the Snort-users mailing list