Are you generating your test traffic from the same system running snort?
If so you might want to try the following:
If you run tcpdump -i <interface> -nvvvv | egrep -i (bad|invalid)
Do you see anything?
If so you'll need to run snort with "-k none" for your testing which
turns off validation of checksums.
-matt
MD B Zaman L wrote:
On Thu, Feb 14, 2008 at 4:17 AM, Jamie Riden <jamie.riden@gmail.com> wrote:
Just as a sanity check, have you verified that the sensor is seeing
the appropriate packets? (ngrep or tcpdump will do).
Ya , I have verified with ethereal and it is generating the matching
packets.
Also , snort is working fine with other signatures like ICMP ping and
content
matching for other ports like 53.
I am only facing the problem with port 80. Even If i replace uricontent
with content , it does not work
regards
zaman
On 14/02/2008, MD B Zaman L <mdbzaman.l@gmail.com> wrote:
Greetings Esler,
The following are the entries in snort.conf
var HOME_NET 172.16.16.251
var EXTERNAL_NET any
var HTTP_SERVERS $HOME_NET
portvar HTTP_PORTS [80,443]
The HTTP server is running on 172.16.16.251
I also modified the snort signature to
alert tcp any any -> any any (msg:"uri content testing successful
";
flow:to_server,established;
uricontent:"/server-info"; sid:1000007; )
But still it is not firing the alert .
regards
zaman
On Wed, Feb 13, 2008 at 9:34 AM, Joel Esler <joel.esler@sourcefire.com>
wrote:
I would first look at your directional statements. How do you have
$HTTP_SERVERS configured? It is pointing towards $HOME_NET? Is your
$HOME_NET filled in?
How about $EXTERNAL_NET? How is that variable configured?
J
On Feb 13, 2008, at 5:49 AM, MD B Zaman L wrote:
Greetings All,
I am a new user of snort . I am finding some difficulty in
using
the snort signatures with uri content.
I have created my own snort signature as follows to test for
uri
content.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"uri
content
testing successful "; flow:to_server,established;
uricontent:"/server-info";
sid:1000007; )
After that I tried to access the webpage
http://<http_server>/server-info and verified with
ethereal whether the content /server-info is generated or not.
Ethereal was showing that the content was generated.
But no alert was fired for the above written signature .
Please clarify me how to test signatures with uri content.
Snort is working fine as I have checked with other signatures
with no
uricontent.
With Thanks in Advance
regards
zaman
--
Jamie Riden / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
