Apr 29, 2008

why snort content doesn't work

Posted by PanamaJax on November 17, 2005 20:47:23

win32 based...
running in packet mode works fine

in IDS mode:
alert tcp any any -> any any (msg:"TCP traffic";) works fine

alert tcp any any -> any any (flow: to_server, established; content: "test"; msg: "Saw Test";) - does absolutely nothing when 'test' is sent any method. Messenger service, http, telnet, ftp etc.

Based on the default virus.rules it should alert on an email beig sent with a .vbs attachment but it doesn't, through pop or exchange.

Everything seems to work fine, just not with a content statement. I've tried every permutation I can come up with, in/out bound, stateless etc etc etc and I don't get it.

If a user were to type 'google' in the web browser and there was an active rule:
alert tcp any any -> any any (flow: to_server, established; content: "google"; nocase; msg: "Saw google";)

shouldn't that trigger the alert?

Posted by brevizniak on November 26, 2005 18:36:50

yes it should work fine. There are some things to check.

- you actually see test in the traffic when running with -dve
- you can see both sides of hte connection
- the flow preprocessor is enabled
- The stream4 preprocessor is enabled
- you are not testing on the machine you are snorting from
This is because alot of systems have cards that compute a checksum in hardware so if you test and sniff on teh same machine snort may ignore the traffic because of a bad checksum.

No comments: