Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] help with rules - data capturing

from [Timothy Ding] Network Security [Permanent Link]
Subject: Re: [Snort-users] help with rules - data capturing
Date: Wed, 26 Dec 2007 16:29:35 -0800 
Thank you all for responding, I compiled 2.81 and see snort running however
i could use more help as no data were captured although i see the data from
tcpdump with the same machine. I also try removing all the default rules
running snort with only 1 to avoid any contaminations. perhaps i missed
something?

~ Tim

alert tcp any any -> $HOME_NET 13001 (msg: "GPRMC found in packet"; \
flow:to_server,established; content:"|24|GPRMC"; nocase; sid:9999000;)

TCPDUMP results
16:26:09.941940 IP 209.31.36.15.ptr.us.xo.net.13001 >
66.xxx.xxx.xxx.static.xxx.com.26334: S 664514795:664514795(0) ack 6516 win
5840 <mss 1460>
        0x0000:  4500 002c 0000 4000 4006 7202 d11f 240f  E..,..@.@.r...$.
        0x0010:  42d8 90c3 32c9 66de 279b b0eb 0000 1974  B...2.f.'......t
        0x0020:  6012 16d0 2cda 0000 0204 05b4            `...,.......
16:26:11.264892 IP 66.216.144.195.static.dejazzd.com.26334 >
209.xxx.xxx.xxx.ptr.xxx.net.13001: P 1:137(136) ack 1 win 8096
        0x0000:  4500 00b0 0004 4000 eb06 c679 42d8 90c3  E.....@....yB...
        0x0010:  d11f 240f 66de 32c9 0000 1974 279b b0ec  ..$.f.2....t'...
        0x0020:  5018 1fa0 8f42 0000 0604 8319 8800 0000  P....B..........
        0x0030:  6100 0000 2533 3536 3933 3930 3130 3030  a...%35693901000
        0x0040:  3036 3736 2c24 4750 524d 432c 3030 3137  0676,$GPRMC,0017
        0x0050:  3432 2e30 3030 2c41 2c33 3335 372e 3631  42.000,A,3357.61
        0x0060:  3638 2c4e 2c31 3137 3536 2e38 3639 362c  68,N,11756.8696,
        0x0070:  572c 302e 3030 2c2c 3237 3132 3037 2c2c  W,0.00,,271207,,
        0x0080:  2c41 2c2b 3132 3133 3833 3936 3635 332c  ,A,+12138396653,
        0x0090:  4e30 3338 6400 0000 0000 0000 0000 0000  N038d...........
        0x00a0:  0000 0000 0000 0000 0000 0000 ffff ffff  ................
16:26:11.264922 IP 209.31.36.15.ptr.us.xo.net.13001 >
66.xxx.xxx.xxx.static.xxx.com.26334: . ack 137 win 6432
        0x0000:  4500 0028 9c41 4000 4006 d5c4 d11f 240f  E..(.A@.@.....$.
        0x0010:  42d8 90c3 32c9 66de 279b b0ec 0000 19fc  B...2.f.'.......
        0x0020:  5010 1920 41bf 0000                      P...A...

Snort started with this command.
 46480 29072 ?        S    Dec24   2:05 /home/user1/snort/snort-
2.8.0.1/src/snort -Qc /home/user1/snort/snort-2.8.0.1/etc/snort.conf -l
/var/log/snort/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Help finding README_http_inspect, Jorge Cuevas
Next by Date:  Re: [Snort-users] help with rules - data capturing, Will Metcalf
Previous by Thread:  Re: [Snort-users] help with rules - data capturing, Paul Melson
Next by Thread:  Re: [Snort-users] help with rules - data capturing, Will Metcalf
Indexes:  [Date] [Thread] [Top] [All Lists]