[Snort-users] question for snort flow established

JJ Cummings cummingsj at ...11827...
Mon Mar 18 11:04:14 EDT 2013


Checksum offloading

Sent from the iRoad

On Mar 18, 2013, at 8:51, waldo kitty <wkitty42 at ...14940...> wrote:

> On 3/17/2013 23:25, zhaojunling_20 wrote:
>> Dear Rmkml,
>> 
>> Thanks for your comment command line with " -k none" added. And then it is
>> totally working. So let us close the topic.
>> Thanks again all of you for your help.
>> ###########
>> /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf-k none
> 
> ignore my previous if "-k none" is working for you...
> 
> 
> [@ALL] why is this "-k none" suddenly needed more and more in recent months?? 
> we've never used it in any of our snort installations... is it special to a 
> certain set of NICs?? [/@ALL]
> 
> 
> 
>> Junling Zhao
>> 
>> At 2013-03-18 11:51:05,zhaojunling_20 <zhaojunling_2000 at ...7427...> wrote:
>> 
>>    Dear All,
>> 
>>    Do anyone help me with this topic. :(
>> 
>> 
>>    At 2013-03-17 11:03:33,zhaojunling_20 <zhaojunling_2000 at ...7427...
>>    <mailto:zhaojunling_2000 at ...7427...>> wrote:
>> 
>>        Dear All,
>> 
>>        By the way if I comment keyword "_established"_, the rule workes. And I
>>        attached snort.conf and output when I running
>>        snort</usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf>.
>>        version of snort is snort Version 2.9.4.1 GRE
>> 
>>        #########
>>        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CLIENT Zango
>>        adware installation request"; content:"Zango/Setup.exe";flow:
>>        to_server_,established_;
>>        reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>>        classtype:policy-violation; sid:10000019; rev:3;)
>> 
>> 
>> 
>>        At 2013-03-17 10:41:52,zhaojunling_20 <zhaojunling_2000 at ...7427...
>>        <mailto:zhaojunling_2000 at ...7427...>> wrote:
>> 
>>            Dear friends,
>> 
>>            FYI
>>            # List of web servers on your network
>>            ipvar HTTP_SERVERS 10.2.11.2/24
>> 
>>            # List of ports you run web servers on
>>            portvar HTTP_PORTS
>>            [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
>> 
>> 
>>            At  2013-03-17  04:00:21,"waldo  kitty"  <wkitty42 at ...15530....  <mailto:wkitty42 at ...14940...>>  wrote:
>>> On  3/16/2013  10:10,  zhaojunling_20  wrote:
>>>> Dear  All,
>>>> 
>>>> I  have  a  little  question,  if  I  installed  snort  on  my  web  server<ipaddress
>>>> 10.2.11.2>  which  has  only  one  ethernet  interface  and  snort  inspect  the
>>>> interface,  does  "flow  with  option  established"  work  or  not?
>>> 
>>> yes...  it  has  to  as  several  tens  of  thousands  of  rules  use  it  ;)
>>> 
>>>> I  have  tested  the  below  rule  with
>>>> ----http://10.2.11.2/test.php?user=Zango/Setup.exe,  no  alert  arised.
>>>> alert  tcp  any  any  ->  $HTTP_SERVERS  $HTTP_PORTS  (msg:"WEB-CLIENT  Zango  adware
>>> 
>>> what  does  your  $HTTP_SERVERS  and  $HTTP_PORTS  vars  contain  from  your  snort.conf??
>>> 
>>>> installation  request";  content:"Zango/Setup.exe";flow:  to_server,established;
>>>> reference:url,www.ftc.gov/os/caselist/0523130/index.shtm;
>>>> classtype:policy-violation;  sid:10000019;  rev:3;)
>>>> appreciate  your  help~
> 
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list