Bill Lopez wrote:
which doesn’t produce an alert either – eventually I want to apply
this filter to just traffic from/to mail , telnet, ftp (etc) servers –
I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx xx xxxx via an
e-mail, text file attachment or file upload and still never see an
alert to the console. I have a simple rule to check for content using
a keyword and get alerted when sending that keyword with e-mail,
attachment and file upload (this was my test to see if snort was
actually alerting correctly) I am only running my test rules with an
out of the box snort.conf file.
Why wouldn’t either of the above rules alert with (for example) an
e-mail sent with 555-55-5555 in the body?
Bill,
Can you please paste how you are running snort on the command line, and
if you changed anything in your snort.conf please post that information too.
This type of traffic should be seen by snort and the rules you created
should alert.
Perhaps, snort isn't seeing the traffic you are expecting,
try running
# snort -vde -i eth0
to see what snort sees.
or if you are running from a pcap you might need to use
config checksum_mode: none
If you captured the file from the localhost.
Also, which port is this traffic intended for?
You might need to configure your flow_depth on http_inspect if you are
seeing this deep within the packet, rather than just in the headers.
-Blake
--
This email and any files transmitted with it are solely intended for the use of
the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete it
and destroy any copies immediately. Demarc Security, Inc. does not accept
liability for the views expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.
bhartstein.vcf
Description: Vcard
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
