Re: [Snort-users] TCP packets detection problem ?

I am having problems to use content in Snort 2.x.x.
These problems do not appear in snort 1.9.0. If you
want to try 1.9.0 to see if it works let me know.



--- Michal Kowalski <x145@wp.pl> wrote:
> Hello
> Here is my snort.conf:
> var HOME_NET any
> var EXTERNAL_NET any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> preprocessor frag2
> preprocessor stream4:
> detect_scans,disable_evasion_alerts
> preprocessor stream4_reassemble
> ruletype test1
> {
> type alert
> }
>
> test1 tcp any any <> any any (content:"KaZaA";msg:
> "KAZAA TRAFFIC";)
> test1 tcp any any <> any any (msg: "ALL";)
>
> So i want to detect KAZAA TCP traffic. But when i
> launch
> snort with such configuration:
> snort -D -d -A fast -c /usr/local/etc/snort.conf
> i receive in logs only ALL logs, while i'm using
> KAzaa client,
> morover in ALL logs there are many strings KaZaA
> for example:
>
> [**] ALL [**]
> 04/19-08:18:04.861058 64.14.61.77:1439 ->
> 10.0.3.11:4164
> TCP TTL:51 TOS:0x0 ID:9116 IpLen:20 DgmLen:222 DF
> ***AP*** Seq: 0xA6E23B76 Ack: 0xEEA015A8 Win:
> 0x1920 TcpLen: 20
> 48 54 54 50 2F 31 2E 30 20 35 30 33 20 53 65 72
> HTTP/1.0 503 Ser
> 76 69 63 65 20 55 6E 61 76 61 69 6C 61 62 6C 65
> vice Unavailable
> 0D 0A 52 65 74 72 79 2D 41 66 74 65 72 3A 20 33
> ..Retry-After: 3
> 30 30 0D 0A 58 2D 4B 61 7A 61 61 2D 55 73 65 72
> 00..X-Kazaa-User
> 6E 61 6D 65 3A 20 41 6D 69 73 73 61 6E 6E 32 54
> name: Amissann2T
> 4D 4F 0D 0A 58 2D 4B 61 7A 61 61 2D 4E 65 74 77
> MO..X-Kazaa-Netw
> 6F 72 6B 3A 20 4B 61 5A 61 41 0D 0A 58 2D 4B 61
> ork: KaZaA..X-Ka
>
> So why snort can not detect this traffic ?
> Interesting thing is if write on irc word KaZaA it's
> detected
> properly.
>
> Could anybody help ?
> Thanx
> Michal
>
>
> ----------------------------------------------------
> Balet Kremlowski! Bogactwo dekoracji, 70
> profesjonalnych tancerzy,
> ponad 100 strojów od Nina Ricci. Sprawd¼ w swoim
> mie¶cie!
>
http://klik.wp.pl/?adr=http%3A%2F%2F...131093&sid=162
>
>
>
>
>
-------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux
> Tutorials
> Free Linux tutorial presented by Daniel Robbins,
> President and CEO of
> GenToo technologies. Learn everything from
> fundamentals to system
>
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.p...st=snort-users





__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users