|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] Can't get whisker scan to log
From: Joey McAlerney (joey
SiliconDefense.com)Date: Thu Mar 02 2000 - 19:04:52 CST
- Next message: Mullen, Patrick: "RE: [snort] networks under different CIDR blocks"
- Previous message: Martin Roesch: "[snort] Beta 10.2 (w' Tru64 support) ready [CVS & WWW]"
- In reply to: Joey McAlerney: "[snort] Can't get whisker scan to log"
- Next in thread: Martin Roesch: "Re: [snort] Can't get whisker scan to log"
- Reply: Joey McAlerney: "Re: [snort] Can't get whisker scan to log"
- Reply: Martin Roesch: "Re: [snort] Can't get whisker scan to log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Disregard this. I found a blasted $HOME_NET redeclaration where it should
not have been.
-Joey
Joey McAlerney wrote:
> Hi everyone,
>
> I can not figure out why snort won't generate an alert on this. The two
> rules are slight modifications of a rule from Rapidnet. The only
> difference between the two is the space between HEAD and /./ in the
> content.
>
> alert tcp any any -> $HOME_NET 80 (msg:"SCAN-Whisker!"; flags:PA;
> content:"HEAD /./";)
> alert tcp any any -> $HOME_NET 80 (msg:"SCAN-Whisker!"; flags:PA;
> content:"HEAD/./";)
>
> I caught this packet running snort in verbose mode... (HOME_NET is
> yy.yyy.yyy.yyy/32)
>
> 03/02-12:16:05.130434 xxx.xx.xxx.xxx:40844 -> yy.yyy.yyy.yyy:80
> TCP TTL:52 TOS:0x0 ID:8375 DF
> *****PA* Seq: 0x705A36BB Ack: 0x86C0E2A3 Win: 0x7D78
> TCP Options => NOP NOP TS: 25179137 256372999
> 48 45 41 44 20 2F 2E 2F 20 48 54 54 50 2F 31 2E HEAD /./ HTTP/1.
> 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 0..User-Agent: M
> 6F 7A 69 6C 6C 61 2F 34 2E 37 20 5B 65 6E 5D 20 ozilla/4.7 [en]
> 28 57 69 6E 39 35 3B 20 55 29 0D 0A 52 65 66 65 (Win95; U)..Refe
> 72 65 72 3A 20 68 74 74 70 3A 2F 2F 36 33 2E 31 rer: http://yy.y
> 39 33 2E 31 30 30 2E 31 30 31 2F 0D 0A 43 6F 6E yy.yyy.yyy/..Con
> 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close..
> 0D 0A
>
> The alert didn't go off.
>
> In RULES.USAGE it states, "The content string will be matched against
> data contained in the packet payload." I don't see how this can be an
> exact match, but that would explain why the alert isn't going off.
> Perhaps someone could clarify this for me.
>
> I am running 1.6beta10.1 on RH 6.1. Snort was called with -D -d -c
> blah.rules. Oh, and I ran Whisker 1.3.0a like this:
>
> whisker.pl -I 2 -h yy.yyy.yyy.yyy
>
> Thanks,
>
> -Joey
- Next message: Mullen, Patrick: "RE: [snort] networks under different CIDR blocks"
- Previous message: Martin Roesch: "[snort] Beta 10.2 (w' Tru64 support) ready [CVS & WWW]"
- In reply to: Joey McAlerney: "[snort] Can't get whisker scan to log"
- Next in thread: Martin Roesch: "Re: [snort] Can't get whisker scan to log"
- Reply: Joey McAlerney: "Re: [snort] Can't get whisker scan to log"
- Reply: Martin Roesch: "Re: [snort] Can't get whisker scan to log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]