Re: [Snort-users] TCP packets detection problem ?
This is a discussion on Re: [Snort-users] TCP packets detection problem ? within the Snort forums, part of the System Security and Security Related category; If the rule is actually typed in: KaZaA and the content in the traffic is: Kazaa, that is your problem. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-19-2004
|
|||
|
|||
Re: [Snort-users] TCP packets detection problem ?
If the rule is actually typed in: KaZaA and the content in the traffic is:
Kazaa, that is your problem. You have not specified in your rule nocase. Without specifying nocase, all of the content searches are case sensitive. Either put nocase; somewhere after the content specification or type in the correct case. > Hello > Here is my snort.conf: > var HOME_NET any > var EXTERNAL_NET any > var HTTP_PORTS 80 > var SHELLCODE_PORTS !80 > var ORACLE_PORTS 1521 > preprocessor frag2 > preprocessor stream4: detect_scans,disable_evasion_alerts > preprocessor stream4_reassemble > ruletype test1 > { > type alert > } > > test1 tcp any any <> any any (content:"KaZaA";msg: "KAZAA TRAFFIC";) > test1 tcp any any <> any any (msg: "ALL";) > > So i want to detect KAZAA TCP traffic. But when i launch > snort with such configuration: > snort -D -d -A fast -c /usr/local/etc/snort.conf > i receive in logs only ALL logs, while i'm using KAzaa client, > morover in ALL logs there are many strings KaZaA > for example: > > [**] ALL [**] > 04/19-08:18:04.861058 64.14.61.77:1439 -> 10.0.3.11:4164 > TCP TTL:51 TOS:0x0 ID:9116 IpLen:20 DgmLen:222 DF > ***AP*** Seq: 0xA6E23B76 Ack: 0xEEA015A8 Win: 0x1920 TcpLen: 20 > 48 54 54 50 2F 31 2E 30 20 35 30 33 20 53 65 72 HTTP/1.0 503 Ser > 76 69 63 65 20 55 6E 61 76 61 69 6C 61 62 6C 65 vice Unavailable > 0D 0A 52 65 74 72 79 2D 41 66 74 65 72 3A 20 33 ..Retry-After: 3 > 30 30 0D 0A 58 2D 4B 61 7A 61 61 2D 55 73 65 72 00..X-Kazaa-User > 6E 61 6D 65 3A 20 41 6D 69 73 73 61 6E 6E 32 54 name: Amissann2T > 4D 4F 0D 0A 58 2D 4B 61 7A 61 61 2D 4E 65 74 77 MO..X-Kazaa-Netw > 6F 72 6B 3A 20 4B 61 5A 61 41 0D 0A 58 2D 4B 61 ork: KaZaA..X-Ka > > So why snort can not detect this traffic ? > Interesting thing is if write on irc word KaZaA it's detected > properly. > > Could anybody help ? > Thanx > Michal > > > ---------------------------------------------------- > Balet Kremlowski! Bogactwo dekoracji, 70 profesjonalnych tancerzy, > ponad 100 strojów od Nina Ricci. Sprawd¼ w swoim mie¶cie! > http://klik.wp.pl/?adr=http%3A%2F%2F...131093&sid=162 > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry@linknet-solutions.com ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
