Snort rules created to search content in payload it is not showing alerts
Hi.. Im new using Snort.
I've capture some traffic with tcpdump and analyzed in Wireshark and create some rules.Im using xubuntu 9.10 alert tcp any any -> any any (msg:"GET request to tracker";flow:to_server,established;content: "GET"; offset:0;depth:5;sid:1000000;rev:1;) After running with snort ... I'm watching BASE to see the alerts .. but nothing about my rules .I know that this rule is right.The only thing that can be wrong is the snort.conf file. Can someone help me.... please? Code:
# |
And what if you configure Snort to output to plain text logs instead and watch those and make it trip the rule?
|
[B]Thank you for answer me :)
But the thing is ..when I try a basic rule like alert tcp any any -> any any (msg:"Test";) is working (I can see the alerts in BASE). However when I try something that involves the payload like alert tcp any any -> any any (msg:"scrap request to the tracker!!!!!!!!!!!!!!!!!!!"; content :"GET";) doesn't work. Do I need to add anything to snort.conf when I want to use the keyword content ? sudo snort -c /etc/snort/snort.conf -r /home/dalgas/Desktop/BitTorrent/trafego_BitTorrent/trafegoBit.cap |
Code:
Running in IDS mode |
I haven't tried it, but you might want to try adding this rule to local.rules:
Code:
alert tcp any any -> any any (msg:"GET request to tracker";flow:to_server,established;content: "GET"; http_method; sid:1000000; rev:1;) |
It is not working.
Tell me something .. I've installed snort and in the snort.conf file and I just change the HOME_NET, EXTERNAL_NET and preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 1000 server_flow_depth 1460 client_flow_depth 1000 nothing else. Do I need to add something so that Snort is able to read the payload? Because the problem here is that Snort is not using the content keyword. thanks for your answers ... |
Quote:
Quote:
|
Ok! There it goes ... a trace from Wireshark and the rules created:
00000000 64 31 3a 61 64 32 3a 69 64 32 30 3a 84 d1 42 52 d1:ad2:i d20:..BR 00000010 6a a6 50 da 29 70 0e ec 8b 5d d2 5f c7 69 42 af j.P.)p.. .]._.iB. 00000020 65 31 3a 71 34 3a 70 69 6e 67 31 3a 74 34 3a 05 e1:q4: pi ng1:t4:. 00000030 31 00 00 31 3a 76 34 3a 55 54 46 af 31 3a 79 31 1..1:v4: UTF.1:y1 00000040 3a 71 65 :qe This rule is to detect the ping word in the trace 70 69 6e 67 alert udp $HOME_NET any → $EXTERNAL_NET any (msg:”DHT ping detected”;content:”d1\:ad2\id20\.”; offset:0;depth:11;sid:1000007; ) alert udp $HOME_NET any → $EXTERNAL_NET any (msg:”DHT ping detected”;content:”ping.”; offset:39;depth:4;sid:1000008; ) ------------------------------------------------------------------------------------------------------------- To be notice that I've tried with the rules defined in p2p.rules and I can't see alerts in BASE too... like for instance: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype: policy-violation; sid:2180; rev:2; ) Do you think it is possible that Snort is not properly installed? Because when I try this basic rule without content ..... it shows many alerts (all tcp connections) proving me that BASE is working, in this case, fine. alert tcp any any -> any any (msg:"Test!!!";sid:1000003; ); Thanks a lot for helping me :D |
You posted this from your snort output earlier:
Code:
HTTP Inspect - encodings (Note: stream-reassembled packets included): |
Yes I'm sure ...its a trace from BitTorrent that has mainly TCP and UDP...
|
All times are GMT -5. The time now is 03:49 AM. |