'[Snort-devel] Snort + FreeBSD 5.1 -> Outbound packet issue.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    [Snort-devel] Snort + FreeBSD 5.1 -> Outbound packet issue.
From:       David <ph1 () cogeco ! ca>
Date:       2003-08-20 4:09:57
[Download RAW message or body]

Hi, I'm having a problem with both Version 2.0.2beta (Build 90) and 
Version 2.0.1 (Build 88) on FreeBSD 5.1.

The issue occurs using the following rule: alert tcp any any -> any any 
(msg:"LOCAL Idiot Test"; content: "idiot"; sid: 1000004; rev: 1;) (This 
rule was also tested using <> and other formats) The expected output is 
a alert for the outbound packet and inbound packets. The problem is that 
it's only matching the inbound packets.

Doing telnet yahoo.com 80, then GET idiot returns a inbound rule being 
matched,
08/20-00:01:14.426618  [**] [1:1000004:1] LOCAL Idiot Test [**] 
[Priority: 10] {TCP} 66.218.71.198:80 -> 24.141.223.207:57550

Doing snort -dev host yahoo.com and port 80 then testing again shows 
that snort is able to see the payload of the outgoing packet,
08/20-00:02:36.294237 0:1:3:D5:2A:xx -> 0:9:7B:89:38:54 type:0x800 len:0x4D
24.141.xx.xx:57552 -> 66.218.71.198:80 TCP TTL:64 TOS:0x10 ID:36360 
IpLen:20 DgmLen:63 DF
***AP*** Seq: 0x909DF532  Ack: 0xF4AE5B0A  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 392666985 4210517343
47 45 54 20 69 64 69 6F 74 0D 0A                 GET idiot..

If I ktrace snort I can see the outgoing packet payload, but for some 
reason it is not taking action and alerting on it.

If anyone has any suggestions let me know. (PS: Sorry for my 
spelling/grammar mistakes in this email:P)
Thanks,
David.




-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic