snort rule

sniper8752 · 01-15-2015, 07:08 PM

I am trying to setup a Snort rule. Here is my rule:

Code:

alert tcp any any -> any any (msg:"WARNING bad content here"; content:"bad stuff"; nocase; flow:to_client,established; classtype:nonsense; sid:1000001; rev:1;)

I go to somewhere that has "bad stuff". But when I go there, I do not get any alerts in the log file. Why does this not work?

unSpawn · 01-17-2015, 06:15 AM

Quote:

Originally Posted by sniper8752

I go to somewhere that has "bad stuff".

Be specific and complete providing nfo. How do you "go there"? Browser? FTP client Other?

Quote:

Originally Posted by sniper8752

Why does this not work?

Yes, that's the question. Now take it one step further and start diagnosing things from the ground up:
- Is this the only rule loaded?
- Does restarting Snort show any anomalies on stdout, stderr, syslog or its own log file?
- Do you use any BPF, alert or other suppression rules?

Quote:

Originally Posted by sniper8752

Code:

alert tcp any any -> any any

Shouldn't you be using the EXTERNAL_NET and HOME_NET variables and a remote port number to narrow down things?

Quote:

Originally Posted by sniper8752

Code:

content:"bad stuff";

How did you determine this is the correct string to use?

Quote:

Originally Posted by sniper8752

Code:

classtype:nonsense;

Should you jeopardize the troubleshooting process by making up nonexistent classes?

[EDIT]Also, if there is a particular reason why you need this rule please explain in detail. Because if this is about a (perceived) breach of security or some such thing I'd rather know right now.[/EDIT]