Posted by PanamaJax on November 17, 2005 20:47:23
running in packet mode works fine
in IDS mode:
alert tcp any any -> any any (msg:"TCP traffic";) works fine
alert tcp any any -> any any (flow: to_server, established; content: "test"; msg: "Saw Test";) - does absolutely nothing when 'test' is sent any method. Messenger service, http, telnet, ftp etc.
Based on the default virus.rules it should alert on an email beig sent with a .vbs attachment but it doesn't, through pop or exchange.
Everything seems to work fine, just not with a content statement. I've tried every permutation I can come up with, in/out bound, stateless etc etc etc and I don't get it.
If a user were to type 'google' in the web browser and there was an active rule:
alert tcp any any -> any any (flow: to_server, established; content: "google"; nocase; msg: "Saw google";)
shouldn't that trigger the alert?
Posted by brevizniak on November 26, 2005 18:36:50
yes it should work fine. There are some things to check.
- you actually see test in the traffic when running with -dve
- you can see both sides of hte connection
- the flow preprocessor is enabled
- The stream4 preprocessor is enabled
- you are not testing on the machine you are snorting from
This is because alot of systems have cards that compute a checksum in hardware so if you test and sniff on teh same machine snort may ignore the traffic because of a bad checksum.