[Snort-users] Snort -Problem with rule -

강명훈 mhkang589 at ...11827...
Mon May 1 11:39:24 EDT 2017


PCRE tries to check strings 'or+1=1'. Does strings 'or+(one or more)'
actually exist in the packet?

2017-05-01 11:19 GMT+09:00 Al Lewis (allewi) <allewi at ...589...>:

> Replay the pcap file into snort with the -r option.
>
> Check the manual for more info. http://manual-snort-org.s3-
> website-us-east-1.amazonaws.com/node8.html
>
>
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi at ...589...<mailto:allewi at ...589...>
>
> From: Joe Bowes <joebowes50 at ...131...<mailto:joebowes50 at ...131...>>
> Reply-To: "joebowes50 at ...131...<mailto:joebowes50 at ...131...>" <
> joebowes50 at ...131...<mailto:joebowes50 at ...131...>>
> Date: Sunday, April 30, 2017 at 7:38 PM
> To: allewi <allewi at ...589...<mailto:allewi at ...589...>>, "
> younes.abderrahmane31 at ...11827...<mailto:younes.abderrahmane31 at ...14542....>" <
> younes.abderrahmane31 at ...11827...<mailto:younes.abderrahmane31 at ...14542....>>,
> 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-
> users at lists.sourceforge.net>>
> Subject: Re: [Snort-users] Snort -Problem with rule -
>
> Hello.....i am working on a class assignment.....having a hard
> time....need to learn how to export packets from wireshark into
> Snort.....any help greatly appreciated.
>
> Sent from Yahoo Mail on Android<https://overview.mail.
> yahoo.com/mobile/?.src=Android>
>
> On Sun, Apr 30, 2017 at 4:26 PM, Al Lewis (allewi)
> <allewi at ...589...<mailto:allewi at ...589...>> wrote:
> Hello,
>
>     It may be easier to get help if you included a pcap of the traffic.
>
> Thanks.
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi at ...589...<mailto:allewi at ...589...>
>
>
>
>
>
>
>
>
> On 4/28/17, 9:05 PM, "younes.abderrahmane31 at ...11827...<mailto:younes.
> abderrahmane31 at ...11827...>" <younes.abderrahmane31 at ...11827...<mailto:younes.
> abderrahmane31 at ...11827...>> wrote:
>
> >Hello everyone
> >I am trying to test SQLI with a snort
> >I have two machines:
> >1- Where I installedSNORT, and the application dvwa (to test sql
> injection)
> >2- The machine which is going to make the attack Sqli injection on the
> dvwa application
> >
> >So in the first machine I added this rule (in local.rule), To detect Sqli
> >(https://www.linkedin.com/pulse/detecting-sql-
> injections-real-time-mission-impossible-val-smirnov)
> >************************************************************
> >alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection
> attempt"; flow:to_server,established; content:"1%3D1"; fast_pattern:only;
> http_client_body; pcre:"/or\++1%3D1/Pi"; metadata:policy balanced-ips drop,
> policy security-ips drop, service http; reference:url,ferruh.mavituna.
> com/sql-injection-cheatsheet-oku/; classtype:web-application-attack;
> sid:10000002; rev:002;)
> >**************************************************************
> >
> >And after the test
> >sudo snort -T -c /etc/snort/snort.conf -i eth0
> >sudo snort -A console -c /etc/snort/snort.conf -i eth0
> >Snort detect nothing (for  exemple ‘1or1=1#)
> >
> >But when I deleted the part pcre of the rule, snort detect it
> >***********************************************************
> ***********************************
> >alert tcp any any -> any any (msg:"SQL 1 = 1 - possible sql injection
> attempt"; flow:to_server,established; content:"1%3D1"; sid:10000002;
> rev:002;)
> >***********************************************************
> ************************************
> >
> >
> >Someone can help me, why the first rule does not work  (pcre )
> >Thank's.
> >
> >
> >Sent from Mail for Windows 10
> >
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net
> >
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
-----------------------
Kang Myoung-hun
-----------------------
+82-10 6604 6084
kangmyounghun.blogspot.kr



More information about the Snort-users mailing list