LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-15-2015, 07:08 PM   #1
sniper8752
Member
 
Registered: Oct 2012
Posts: 567

Rep: Reputation: Disabled
snort rule


I am trying to setup a Snort rule. Here is my rule:
Code:
alert tcp any any -> any any (msg:"WARNING bad content here"; content:"bad stuff"; nocase; flow:to_client,established; classtype:nonsense; sid:1000001; rev:1;)
I go to somewhere that has "bad stuff". But when I go there, I do not get any alerts in the log file. Why does this not work?
 
Old 01-17-2015, 06:15 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608
Quote:
Originally Posted by sniper8752 View Post
I go to somewhere that has "bad stuff".
Be specific and complete providing nfo. How do you "go there"? Browser? FTP client Other?


Quote:
Originally Posted by sniper8752 View Post
Why does this not work?
Yes, that's the question. Now take it one step further and start diagnosing things from the ground up:
- Is this the only rule loaded?
- Does restarting Snort show any anomalies on stdout, stderr, syslog or its own log file?
- Do you use any BPF, alert or other suppression rules?


Quote:
Originally Posted by sniper8752 View Post
Code:
alert tcp any any -> any any
Shouldn't you be using the EXTERNAL_NET and HOME_NET variables and a remote port number to narrow down things?


Quote:
Originally Posted by sniper8752 View Post
Code:
content:"bad stuff";
How did you determine this is the correct string to use?


Quote:
Originally Posted by sniper8752 View Post
Code:
classtype:nonsense;
Should you jeopardize the troubleshooting process by making up nonexistent classes?


[EDIT]Also, if there is a particular reason why you need this rule please explain in detail. Because if this is about a (perceived) breach of security or some such thing I'd rather know right now.[/EDIT]

Last edited by unSpawn; 01-17-2015 at 06:18 AM. Reason: //Addendum
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Help with a Snort rule yzT! Linux - Security 1 10-25-2014 03:40 PM
Snort Rule stewarti Linux - Security 2 10-30-2013 02:30 PM
Ask about snort rule lamletoi Linux - Security 1 05-13-2012 02:54 PM
[SOLVED] Snort - DynamicPlugin: Rule [##] not enabled in configuration, rule will not be used mhollis Linux - Software 3 08-29-2011 06:06 PM
Help with my snort rule set PixelCloud Linux - Security 1 07-17-2004 01:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration