Re: [Snort-users] help writing snort rule

This is a multi-part message in MIME format.
--------------030902090705090406070807
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable

Bill Lopez wrote:
>
> which doesn=92t produce an alert either =96 eventually I want to apply=20
> this filter to just traffic from/to mail , telnet, ftp (etc) servers =96=
=20
> I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx xx xxxx via an=20
> e-mail, text file attachment or file upload and still never see an=20
> alert to the console. I have a simple rule to check for content using=20
> a keyword and get alerted when sending that keyword with e-mail,=20
> attachment and file upload (this was my test to see if snort was=20
> actually alerting correctly) I am only running my test rules with an=20
> out of the box snort.conf file.
>
> Why wouldn=92t either of the above rules alert with (for example) an=20
> e-mail sent with 555-55-5555 in the body?
>
Bill,
Can you please paste how you are running snort on the command line, and=20
if you changed anything in your snort.conf please post that information t=
oo.

This type of traffic should be seen by snort and the rules you created=20
should alert.

Perhaps, snort isn't seeing the traffic you are expecting,

try running
# snort -vde -i eth0

to see what snort sees.

or if you are running from a pcap you might need to use
config checksum_mode: none
If you captured the file from the localhost.

Also, which port is this traffic intended for?
You might need to configure your flow_depth on http_inspect if you are=20
seeing this deep within the packet, rather than just in the headers.

-Blake

--=20
This email and any files transmitted with it are solely intended for the =
use of the addressee(s) and may contain information that is confidential =
and privileged. If you receive this email in error, please advise us by =
return email immediately. Please also disregard the contents of the email=
, delete it and destroy any copies immediately. Demarc Security, Inc. do=
es not accept liability for the views expressed in the email or for the c=
onsequences of any computer viruses that may be transmitted with this ema=
il.

This email is also subject to copyright. No part of it should be reproduc=
ed, adapted or transmitted without the written consent of the copyright o=
wner.


--------------030902090705090406070807
Content-Type: text/x-vcard; charset=utf-8;
name="bhartstein.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="bhartstein.vcf"

begin:vcard
fn:Blake Hartstein
n:Hartstein;Blake
email;internet:bhartstein@demarc.com
tel;work:805-566-3800x586
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------030902090705090406070807
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
--------------030902090705090406070807
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--------------030902090705090406070807--