[Snort-devel] Snort + FreeBSD 5.1 -> Outbound packet issue.

From: David <ph1(at)cogeco.ca>
Date: Wed Aug 20 2003 - 00:09:57 EDT

Hi, I'm having a problem with both Version 2.0.2beta (Build 90) and Version 2.0.1 (Build 88) on FreeBSD 5.1.

The issue occurs using the following rule: alert tcp any any -> any any (msg:"LOCAL Idiot Test"; content: "idiot"; sid: 1000004; rev: 1;) (This rule was also tested using <> and other formats) The expected output is a alert for the outbound packet and inbound packets. The problem is that it's only matching the inbound packets.

Doing telnet yahoo.com 80, then GET idiot returns a inbound rule being matched,
08/20-00:01:14.426618 [**] [1:1000004:1] LOCAL Idiot Test [**] [Priority: 10] {TCP} 66.218.71.198:80 -> 24.141.223.207:57550

Doing snort -dev host yahoo.com and port 80 then testing again shows that snort is able to see the payload of the outgoing packet, 08/20-00:02:36.294237 0:1:3:D5:2A:xx -> 0:9:7B:89:38:54 type:0x800 len:0x4D 24.141.xx.xx:57552 -> 66.218.71.198:80 TCP TTL:64 TOS:0x10 ID:36360 IpLen:20 DgmLen:63 DF
***AP*** Seq: 0x909DF532 Ack: 0xF4AE5B0A Win: 0x8218 TcpLen: 32 TCP Options (3) => NOP NOP TS: 392666985 4210517343

47 45 54 20 69 64 69 6F 74 0D 0A                 GET idiot..

If I ktrace snort I can see the outgoing packet payload, but for some reason it is not taking action and alerting on it.

If anyone has any suggestions let me know. (PS: Sorry for my spelling/grammar mistakes in this email:P) Thanks,
David.

---

This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Aug 20 04:49:20 2003