Research | 27 Feb 21:58 2015

Generator ID map file location changed ?

Hello,

On page 12 of the PDF format of the “Snort 2.9.7 Manual) [1], it notes that the mapping for GID’s
(Generator ID’s), can be found in:

	"For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event
came from the “decode” (116) component of Snort.”

>From the source tar ball, I can see the etc subdirectory:

	~/snort_src/snort-2.9.7.0/etc

In there I can see “gen-map.msg”:

	-rw-r--r--  1 user user  31K Sep 16 14:24 gen-msg.map

Inside this file I can see a mapping to “decode” for GID 116 (as referenced in the first quote from the
manual), so is this the file that the GID mappings are in now, *NOT* generators, or am I still looking in the
wrong place ?  If so, am I correct interpreting that a GID of 1 means the generator was “snort general
rule” which matches up to a custom rule I wrote ?

Thanks

[1] See: https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1425073972&Signature=9uEeOQH3nRJTwXr6c7XxK%2F%2FWqAU%3D
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
(Continue reading)

Research | 26 Feb 18:11 2015

Startup error post-package install

Hello,

I have just begun using Snort and am following along with a book (“Linux Firewalls", 4th Edition (c)
2015).  I am currently just focussing on getting Snort up and running and plan to read the full Snort
documentation set next.

Installing on Ubuntu 12.0.4.5 LTS via the following:

	sudo apt-get install snort

…installs Snort.  Verision is:

	snort -V

…returning "Version 2.9.2 IPv6 GRE (Build 78)”.

I verified in: /etc/snort/snort.conf that the ruleset that ships with the Ubuntu package is correctly referenced:

	var RULE_PATH /etc/snort/rules

I then attempted to start Snort in non-daemon mode with:

	sudo snort start -c /etc/snort/snort.conf

…however I receive the following and then termination:

	(lines omitted)
	+++++++++++++++++++++++++++++++++++++++++++++++++++
	Initializing rule chains...
	WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.
(Continue reading)

Rishabh Shah | 26 Feb 08:07 2015
Picon

Snort react should return HTTP 302 instead of HTTP 403

Hi Snort Team,

Is it possible that Snort can return a HTTP 302 page instead of HTTP 403 forbidden when react is configured in the configuration file?

I have defined "config react: /var/www/html/block.html" in my configuration file and my traffic hits the following rule:
reject tcp any any -> any any (msg:"Illegal access"; appid: facebook; sid: 1020120; rev: 1; react: msg;)

On my windows client, I receive an HTTP 403 forbidden after sending a facebook request as shown in the packet capture below:

GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l


HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 99

<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p> </body> </html>

<^Content of block.html>

But I want Snort to return HTTP 302 instead of HTTP 403, as the above message doesn't get displayed in the browser when the response is HTTP 403.

I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c" (replacing HTTP/1.1 403 Forbidden\r\n to HTTP/1.1 302 Moved Temporarily\r\n )and did a make/make install to update the sp.react.o (object file). But I am still receiving HTTP 403.

Kindly let me know if I am missing anything. Thank You!

Regards,
Rishabh Shah.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Weir, Jason | 24 Feb 22:01 2015

Sourcefire Intrusion Agent

Anyone using the Intrusion Agent on a self built snort sensor to integrate with Defense Center, or have docs regarding its setup?

 

Jason

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
James Dickenson | 24 Feb 03:44 2015
Picon

False positives on mysql traffic

Has anyone else noticed these signatures creating false positives on mysql traffic (usually 3306).

Anyone have any thoughts on how to tune it out?



alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 03|"; depth:5; dsize:<160; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:32609; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 02|"; depth:5; dsize:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:32610; rev:1;)


-James
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Lena Okanovic | 24 Feb 01:24 2015

real-time alerting and rule to monitor only specific traffic

​Hello,


How can I only monitor TCP traffic that is not on port 80 or 443 or on our DMZ IP address? And also, can someone please provide me with instructions on how to setup real-time (email) alerting in Snort on Windows server box.

So, if 'bad' TCP traffic comes through, I would like to get an email right a way letting me know.



<!-- p {margin-top:0px; margin-bottom:0px} -->

Thank you,


Lena Okanovic

lokanovic <at> flightapps.com

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dan Roberts | 23 Feb 16:57 2015
Picon

preprocessors rules

Hi all,

One of my Snort sensor (eth1) is listening to the network traffic of many VLANs, sharing the same trunk.
And although I've defined only one VLAN (IP subnet) as my HOME_NET in snort.conf,
I receive many preprocessor alarms related to other vlans(IP subnets) without any relation to my HOME_NET.

My question: do the preprocessor rules apply to all the network traffic the sensor sees, regardess the HOME_NET setting in snort.conf ? Or is there something I missed ?

Thanks in advance for your help !

Dan




 
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
reniykec | 23 Feb 11:51 2015
Picon

Increase detection rate

Hi, please i want to know if there is any way to increase snort detection rate.
Thanks.

Sent from my acer Liquid Z3
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Henry Collins | 23 Feb 11:41 2015
Picon

Cannot get Snort listen on a second network interface (creating a gateway)

I have a small subnet that consists of several computers. I want these computers to configure in such a way that they would use my gateway to access each other and the external internet.

There is already a gateway working in the subnet, but it doesn't have Snort installed. It's ip is 10.165.17.1

I am working on creating another gateway that would use the upper gateway to serve computers in the subnet, but this gateway would receive packets from computers in the subnet. In this way, I want to instruct Snort to listen on for example eth1, which would be used for computers in the subnet and eth0 for communication with the subnet's gateway (10.165.17.1). How is it done?

Here is a short overview of my network:

Gateways:
10.165.17.1 (has access to external internet and computers in the subnet)
10.165.17.70 (is used by computers in the subnet as gateway and uses 10.165.17.1 as its gateway)

Computers:
10.165.17.60 (gateway: 10.165.17.70)
10.165.17.61 (gateway: 10.165.17.70)
and so on...

This is my /etc/network/interfaces so far. However, eth1 doesn't get an IP. How do I fix this? I want to make Snort listen on eth1:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 10.165.17.66
gateway 10.165.17.1
dns-nameservers 10.165.0.10 10.165.0.11
netmask 255.255.255.0
broadcast 10.165.17.255

# The secondary network interface
auto eth1
iface eth1 inet static
address 10.165.17.70
gateway 10.165.17.1
dns-nameservers 10.165.0.10 10.165.0.11
netmask 255.255.255.0
broadcast 10.165.17.255

This is output from ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:ff
          inet addr:10.165.17.66  Bcast:10.165.17.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe83:e8ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:137 errors:0 dropped:21 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16987 (16.9 KB)  TX bytes:928 (928.0 B)

eth1      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:09
          inet6 addr: fe80::20c:29ff:fe83:e809/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:92 errors:0 dropped:11 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9675 (9.6 KB)  TX bytes:648 (648.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
James Lay | 22 Feb 16:59 2015
Picon

Re: Snort unable to drop packets in inline mode

On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:
Hi James,


Thanks for looking in to this. In your case, the HTTP request is getting blocked by snort. But the same is not happening in my case. Any other command output that could help you figure out this issue?

On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay <at> slave-tothe-box.net> wrote:
On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
Hi Snort-Experts,


I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable to drop packets, despite a drop alert being generated:
02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**] [Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80


-> Following rule in snort.rules file is getting triggered for the above alert log.
drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)




===============================================================================
Action Stats:
     Alerts:            7 (  1.118%)
     Logged:            7 (  1.118%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          231 ( 36.435%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:          394 ( 62.145%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================


Interestingly, Blacklist means getting dropped/blocked/not-allowed-through/whatever you want to call it.  Case in point below:

start line:
sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none

[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth1:eth2".
Reload thread starting...
Reload thread started, thread 0x7f383d236700 (3419)

        --== Initialization Complete ==--

snort rule:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get"; content:"index"; http_uri; sid:1000003; rev:1;)

wget from remote box:
[07:09:05 $] wget http://192.168.1.73/index.html
--2015-02-22 07:09:44--  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2015-02-22 07:09:45--  (try: 2)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2015-02-22 07:09:47--  (try: 3)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

tshark on ips box:
31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74 43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101 TSecr=0 WS=128
32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74 80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=54730 TSecr=1201101 WS=16
33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66 43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730
34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1
35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66 80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101
36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54 43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74 43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852 TSecr=0 WS=128
38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74 80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=55481 TSecr=1201852 WS=16
39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66 43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481
40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1
41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66 80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852
42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557 HTTP/1.1 200 OK  (text/html)
43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54 43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74 43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853 TSecr=0 WS=128
47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74 80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=56483 TSecr=1202853 WS=16
48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66 43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483
49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1
50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66 80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854
51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54 43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0

snort result using console:
02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80
02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80
02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80

and lastly, snort stats after kill:
===============================================================================
Packet I/O Totals:
   Received:           57
   Analyzed:           57 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           12                  <----------- injected RST I am guessing
===============================================================================

===============================================================================
Action Stats:
     Alerts:            6 ( 10.526%)
     Logged:            6 ( 10.526%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:           50 ( 87.719%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            7 ( 12.281%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)

And there ya go.

James

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




--
Regards,
Rishabh Shah.
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users <at> lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!

Rishabh,

How are you confirming that this isn't getting dropped/blocked/blacklisted?  Do you have a capture, or can you capture on the IPS to see what the traffic is looking like?

James
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Arun Koshal | 21 Feb 16:55 2015
Picon

Dynamic preprocessor - detection engine on normalized data only

Hi,

We are developing a simple snort dynamic preprocessor for a TCP based application. The application traffic includes messages of varying lengths between the client and server. The objective of preprocessor is to have snort doing rule detection on messages rather than on packets.

The preprocessor simply identifies the messages boundaries based on the message length in the message header and copies the message in DecodeBuffer.data. We are calling SetAltDecode function with proper message length, followed by the _dpd.detect(). We observe that snort is still working on the packet payload instead of this normalized DecodeBuffer. Is this behavior correct?

How can we make snort rule engine to work on normalized payload in DecodeBuffer and ignore the payload in Packet?

We are using Snort 2.9.6.2.

Please suggest.

Thanks,
Arun
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane