<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Hi rmkml<br><br>answering questions<br><br>> what snort version you test please?<br><br>root@...14740...:~# snort -V<br><br>   ,,_     -*> Snort! <*-<br>  o"  )~   Version 2.8.4.1 (Build 38)  <br>   ''''    By Martin Roesch & The Snort Team:<br>http://www.snort.org/team.html<br>           Copyright (C) 1998-2009 Sourcefire, Inc., et al.<br>           Using PCRE version: 7.8 2008-09-05<br><br>root@...14740...:~# <br><br><br>> Do you send your
 conf?<br><br>/etc/snort/snort.debian.conf<br>DEBIAN_SNORT_STARTUP="boot"<br>DEBIAN_SNORT_HOME_NET="20.0.0.0/8"<br>DEBIAN_SNORT_OPTIONS=""<br>DEBIAN_SNORT_INTERFACE="eth0"<br>DEBIAN_SNORT_SEND_STATS="true"<br>DEBIAN_SNORT_STATS_RCPT="root"<br>DEBIAN_SNORT_STATS_THRESHOLD="1"<br>/etc/snort/snort.conf<br>var HOME_NET $eth0_ADDRESS<br>var EXTERNAL_NET any<br>var DNS_SERVERS $HOME_NET<br>var SMTP_SERVERS $HOME_NET<br>var HTTP_SERVERS $HOME_NET<br>var SQL_SERVERS $HOME_NET<br>var TELNET_SERVERS $HOME_NET<br>var SNMP_SERVERS $HOME_NET<br>portvar HTTP_PORTS 80<br>portvar SHELLCODE_PORTS !80<br>portvar ORACLE_PORTS 1521<br>var AIM_SERVERS<br>[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]<br>var RULE_PATH /etc/snort/rules<br>var PREPROC_RULE_PATH /etc/snort/preproc_rules<br>dynamicpreprocessor directory
 /usr/lib/snort_dynamicpreprocessor/<br>dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so<br>preprocessor frag3_global: max_frags 65536<br>preprocessor frag3_engine: policy first detect_anomalies<br>preprocessor stream5_global: max_tcp 8192, track_tcp yes, \<br>                              track_udp no<br>preprocessor stream5_tcp: policy first, use_static_footprint_sizes<br>preprocessor http_inspect: global \<br>    iis_unicode_map unicode.map 1252 <br>preprocessor http_inspect_server: server default \<br>    profile all ports { 80 8080 8180 } oversize_dir_length 500<br>preprocessor rpc_decode: 111 32771<br>preprocessor bo<br>preprocessor ftp_telnet: global \<br>   encrypted_traffic yes \<br>   inspection_type stateful<br>preprocessor
 ftp_telnet_protocol: telnet \<br>   normalize \<br>   ayt_attack_thresh 200<br>preprocessor ftp_telnet_protocol: ftp server default \<br>   def_max_param_len 100 \<br>   alt_max_param_len 200 { CWD } \<br>   cmd_validity MODE < char ASBCZ > \<br>   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \<br>   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \<br>   telnet_cmds yes \<br>   data_chan<br>preprocessor ftp_telnet_protocol: ftp client default \<br>   max_resp_len 256 \<br>   bounce yes \<br>   telnet_cmds yes<br>preprocessor smtp: \<br>  ports { 25 587 691 } \<br>  inspection_type stateful \<br>  normalize cmds \<br>  normalize_cmds { EXPN VRFY RCPT } \<br>  alt_max_command_line_len 260 { MAIL } \<br>  alt_max_command_line_len 300 { RCPT } \<br>  alt_max_command_line_len
 500 { HELP HELO ETRN } \<br>  alt_max_command_line_len 255 { EXPN VRFY }<br>preprocessor sfportscan: proto  { all } \<br>                         memcap { 10000000 } \<br>                         sense_level { low }<br>preprocessor dcerpc2<br>preprocessor dcerpc2_server: default<br>preprocessor dns: \<br>    ports { 53 } \<br>    enable_rdata_overflow<br>preprocessor ssl: noinspect_encrypted, trustservers<br>output log_tcpdump: tcpdump.log<br>include classification..config<br>include reference.config<br>include $RULE_PATH/local.rules<br>include $RULE_PATH/bad-traffic.rules<br>include $RULE_PATH/exploit.rules<br>include $RULE_PATH/community-exploit.rules<br>include
 $RULE_PATH/scan.rules<br>include $RULE_PATH/finger.rules<br>include $RULE_PATH/ftp.rules<br>include $RULE_PATH/telnet.rules<br>include $RULE_PATH/rpc..rules<br>include $RULE_PATH/rservices.rules<br>include $RULE_PATH/dos.rules<br>include $RULE_PATH/community-dos.rules<br>include $RULE_PATH/ddos.rules<br>include $RULE_PATH/dns.rules<br>include $RULE_PATH/tftp.rules<br>include $RULE_PATH/web-cgi.rules<br>include $RULE_PATH/web-coldfusion.rules<br>include $RULE_PATH/web-iis.rules<br>include $RULE_PATH/web-frontpage.rules<br>include $RULE_PATH/web-misc.rules<br>include $RULE_PATH/web-client.rules<br>include $RULE_PATH/web-php.rules<br>include $RULE_PATH/community-sql-injection.rules<br>include $RULE_PATH/community-web-client.rules<br>include $RULE_PATH/community-web-dos.rules<br>include $RULE_PATH/community-web-iis.rules<br>include $RULE_PATH/community-web-misc.rules<br>include $RULE_PATH/community-web-php.rules<br>include $RULE_PATH/sql.rules<br>include
 $RULE_PATH/x11.rules<br>include $RULE_PATH/icmp.rules<br>include $RULE_PATH/netbios.rules<br>include $RULE_PATH/misc.rules<br>include $RULE_PATH/attack-responses.rules<br>include $RULE_PATH/oracle.rules<br>include $RULE_PATH/community-oracle.rules<br>include $RULE_PATH/mysql.rules<br>include $RULE_PATH/snmp.rules<br>include $RULE_PATH/community-ftp.rules<br>include $RULE_PATH/smtp.rules<br>include $RULE_PATH/community-smtp.rules<br>include $RULE_PATH/imap.rules<br>include $RULE_PATH/community-imap.rules<br>include $RULE_PATH/pop2.rules<br>include $RULE_PATH/pop3.rules<br>include $RULE_PATH/nntp.rules<br>include $RULE_PATH/community-nntp.rules<br>include $RULE_PATH/community-sip.rules<br>include $RULE_PATH/other-ids.rules<br>include $RULE_PATH/web-attacks.rules<br>include $RULE_PATH/backdoor.rules<br>include $RULE_PATH/community-bot.rules<br>include $RULE_PATH/community-virus.rules<br>include $RULE_PATH/experimental.rules<br>include
 threshold.conf<br><br>> snort cmd line starting please?<br><br>/usr/sbin/snort -m 027 -D -d -v -l /var/log/snort -u snort -g snort<br>-c /etc/snort/snort.conf -S HOME_NET=[10.0.0.0/8] -i eth0<br><br>> for example, maybe disable checksum with '-k none' on cmd line...<br>> you have created a html page (http reply server side), and you have <br>> created a snort rule on client (to server) side...<br>> Regards<br>In desperation, I tried the following rules<br><br>alert tcp 10.0.0.0/8 80 -> any any (content:"teste rule"; msg:"TEST <br>HTTP"; sid:100000000;) <br>alert tcp any any <> any any (content:"teste rule"; msg:"TEST HTTP"; <br>sid:100000000;) <br>alert tcp any any <> any any (content:"teste rule"; http_client_body; <br>msg:"TEST HTTP"; sid:100000000; depth:1000;) <br><br>without sucess in all.<br><br>no idea where i can be wrong or missing some pre-processador. I thank<br><br>Regards.<br><br></td></tr></table><br>


      <hr size=1>Veja quais são os assuntos do momento no Yahoo! + Buscados: <a href="http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/">Top 10</a> - <a href="http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/">Celebridades</a> - <a href="http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados..yahoo.com/m%C3%BAsica/">Música</a> - <a href="http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/">Esportes</a>