[Snort-users] Trigger anomalies (on LXC container versus host)

Chris berzerkatives at ...11827...
Tue May 5 10:15:31 EDT 2015


On Mon, 04 May 2015 06:31:43 -0400
waldo kitty <wkitty42 at ...14940...> wrote:

> On 5/3/2015 8:07 PM, Chris wrote:
> > Here's the rule that one would expect to trigger.
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> > (msg:"WEB-CGI test.cgi access"; flow:to_server,established;
> > uricontent:"/test.cgi"; nocase; classtype:web-application-activity;
> > sid:1646; rev:5;)
> >
> > I'm left to think that I must be making a mistake somehow with my
> > playback testing, but I'm not sure what. Any ideas?
> 
> your rule has flow:to_server,established in it... could it be that
> your container snort hasn't seen the previous 3-way handshake packets
> and so doesn't consider this packet as "established"? we've seen
> similar when snort has flushed "old" unprocessed packets to make room
> for new ones in a heavy flow, low memory, high cpu usage situation...
> 

Hi Waldo,

To test this I removed the flow* clause from the rule (incremented
the rev, stopped then started Snort), but that didn't cause it to
trigger when I tested again. Any thoughts?

Thanks,
Chris




More information about the Snort-users mailing list