LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page Snort- ips
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-24-2009, 08:55 AM   #1
priyadarshan
Member
 
Registered: Feb 2009
Location: Ahmedabad, Gujarat, India
Posts: 197

Rep: Reputation: Disabled
Unhappy Snort- ips

I have made the simplest rule in local.rules as below:-

alert tcp any any -> any any (msg:"Japan Dave"; gid:1000001; sid:1000002; rev:1

I too get packets trapped in log files as I execute the command

sudo snort -i eth0 -c /etc/snort/snort.conf -l /etc/snort


But the only thing which annoy me is I cant find anything like "JAPAN DAVE", which is specified in option msg.......in log files......
 
Old 03-25-2009, 10:52 PM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
you need a content match. the 'msg:"Japan Dave"' portion of your rule is just a description of the rule. Your current rule will fire on an tcp traffic.

Try this instead:
Code:
alert tcp any any -> any any (msg:"This is a test for text: Japan Dave"; content:"Japan Dave"; gid:1000001; sid:1000002; rev:1;)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort -IPS priyadarshan Linux - Software 1 03-16-2009 08:50 AM
Getting things straight: Apache, SSL, Multiple External IPs / Internal IPs robin.com.au Linux - Server 21 10-13-2007 11:39 PM
IDS/IPS for detecting/preventing unauthorized VPN or encrypted traffic. Maybe SNORT? sipecup Linux - Security 0 09-11-2007 08:23 AM
Relate snort logs with Internal IPs logicalfuzz Linux - Software 0 01-17-2006 03:10 AM
snort 2.4.1 (inline IPS) +shorewall 2.4.x where best to insert the QUEUE in iptables Emmanuel_uk Linux - Security 5 10-18-2005 06:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:31 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration