[Snort-users] Snort -Problem with rule -

Al Lewis (allewi) allewi at ...589...
Sun Apr 30 22:19:29 EDT 2017


Replay the pcap file into snort with the -r option.

Check the manual for more info. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node8.html



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Joe Bowes <joebowes50 at ...131...<mailto:joebowes50 at ...131...>>
Reply-To: "joebowes50 at ...131...<mailto:joebowes50 at ...131...>" <joebowes50 at ...131...<mailto:joebowes50 at ...131...>>
Date: Sunday, April 30, 2017 at 7:38 PM
To: allewi <allewi at ...589...<mailto:allewi at ...589...>>, "younes.abderrahmane31 at ...11827...<mailto:younes.abderrahmane31 at ...11827...>" <younes.abderrahmane31 at ...11827...<mailto:younes.abderrahmane31 at ...11827...>>, 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] Snort -Problem with rule -

Hello.....i am working on a class assignment.....having a hard time....need to learn how to export packets from wireshark into Snort.....any help greatly appreciated.

Sent from Yahoo Mail on Android<https://overview.mail.yahoo.com/mobile/?.src=Android>

On Sun, Apr 30, 2017 at 4:26 PM, Al Lewis (allewi)
<allewi at ...589...<mailto:allewi at ...589...>> wrote:
Hello,

    It may be easier to get help if you included a pcap of the traffic.

Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>








On 4/28/17, 9:05 PM, "younes.abderrahmane31 at ...11827...<mailto:younes.abderrahmane31 at ...11827...>" <younes.abderrahmane31 at ...11827...<mailto:younes.abderrahmane31 at ...11827...>> wrote:

>Hello everyone
>I am trying to test SQLI with a snort
>I have two machines:
>1- Where I installedSNORT, and the application dvwa (to test sql injection)
>2- The machine which is going to make the attack Sqli injection on the dvwa application
>
>So in the first machine I added this rule (in local.rule), To detect Sqli
>(https://www.linkedin.com/pulse/detecting-sql-injections-real-time-mission-impossible-val-smirnov)
>************************************************************
>alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only; http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:10000002; rev:002;)
>**************************************************************
>
>And after the test
>sudo snort -T -c /etc/snort/snort.conf -i eth0
>sudo snort -A console -c /etc/snort/snort.conf -i eth0
>Snort detect nothing (for  exemple ‘1or1=1#)
>
>But when I deleted the part pcre of the rule, snort detect it
>**********************************************************************************************
>alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection attempt"; flow:to_server,established; content:"1%3D1"; sid:10000002; rev:002;)
>***********************************************************************************************
>
>
>Someone can help me, why the first rule does not work  (pcre )
>Thank's.
>
>
>Sent from Mail for Windows 10
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list