[Snort-users] question for snort flow established

waldo kitty wkitty42 at ...14940...
Mon Mar 18 10:51:24 EDT 2013


On 3/17/2013 23:25, zhaojunling_20 wrote:
> Dear Rmkml,
>
> Thanks for your comment command line with " -k none" added. And then it is
> totally working. So let us close the topic.
> Thanks again all of you for your help.
> ###########
> /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf-k none

ignore my previous if "-k none" is working for you...


[@ALL] why is this "-k none" suddenly needed more and more in recent months?? 
we've never used it in any of our snort installations... is it special to a 
certain set of NICs?? [/@ALL]



> Junling Zhao
>
> At 2013-03-18 11:51:05,zhaojunling_20 <zhaojunling_2000 at ...7427...> wrote:
>
>     Dear All,
>
>     Do anyone help me with this topic. :(
>
>
>     At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 at ...7427...
>     <mailto:zhaojunling_2000 at ...7427...>> wrote:
>
>         Dear All,
>
>         By the way if I comment keyword "_established"_, the rule workes. And I
>         attached snort.conf and output when I running
>         snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>.
>         version of snort is snort Version 2.9.4.1 GRE
>
>         #########
>         alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango
>         adware installation request"; content:"Zango/Setup.exe";flow:
>         to_server_,established_;
>         reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>         classtype:policy-violation; sid:10000019; rev:3;)
>
>
>
>         At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 at ...7427...
>         <mailto:zhaojunling_2000 at ...7427...>> wrote:
>
>             Dear friends,
>
>             FYI
>             # List of web servers on your network
>             ipvar HTTP_SERVERS 10.2.11.2/24
>
>             # List of ports you run web servers on
>             portvar HTTP_PORTS
>             [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
>
>
>             At  2013-03-17  04:00:21,"waldo  kitty"  <wkitty42 at ...14940...  <mailto:wkitty42 at ...14940...>>  wrote:
>             >On  3/16/2013  10:10,  zhaojunling_20  wrote:
>             >>  Dear  All,
>             >>
>             >>  I  have  a  little  question,  if  I  installed  snort  on  my  web  server<ipaddress
>             >>  10.2.11.2>  which  has  only  one  ethernet  interface  and  snort  inspect  the
>             >>  interface,  does  "flow  with  option  established"  work  or  not?
>             >
>             >yes...  it  has  to  as  several  tens  of  thousands  of  rules  use  it  ;)
>             >
>             >>  I  have  tested  the  below  rule  with
>             >>  ----http://10.2.11.2/test.php?user=Zango/Setup.exe,  no  alert  arised.
>             >>  alert  tcp  any  any  ->  $HTTP_SERVERS  $HTTP_PORTS  (msg:"WEB-CLIENT  Zango  adware
>             >
>             >what  does  your  $HTTP_SERVERS  and  $HTTP_PORTS  vars  contain  from  your  snort.conf??
>             >
>             >>  installation  request";  content:"Zango/Setup.exe";flow:  to_server,established;
>             >>  reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>             >>  classtype:policy-violation;  sid:10000019;  rev:3;)
>             >>  appreciate  your  help~






More information about the Snort-users mailing list