[Snort-users] Trigger anomalies (on LXC container versus host)
wkitty42 at ...14940...
Mon May 4 06:31:43 EDT 2015
On 5/3/2015 8:07 PM, Chris wrote:
> Here's the rule that one would expect to trigger.
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
> test.cgi access"; flow:to_server,established; uricontent:"/test.cgi";
> nocase; classtype:web-application-activity; sid:1646; rev:5;)
> I'm left to think that I must be making a mistake somehow with my
> playback testing, but I'm not sure what. Any ideas?
your rule has flow:to_server,established in it... could it be that your
container snort hasn't seen the previous 3-way handshake packets and so doesn't
consider this packet as "established"? we've seen similar when snort has flushed
"old" unprocessed packets to make room for new ones in a heavy flow, low memory,
high cpu usage situation...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users