Hello Sluggers.
I'm working on a homework assignment using snort. I'm having trouble getting one
rule to work properly. Here is what the instructor requested for this rule:
Create an alert for any incoming packet whose contents contain "tcpdump" (case
sensitive).
By incoming packet, he means anything with a source that is not on the local subnet,
with a destination that is on the local subnet. He has given us a packet capture
file with some traffic he captured to run our rules against. The local network is
172.17.76.0/24. Looking at the file in ethereal, I can see that there are some
incoming packets with "tcpdump" in the payload.
Here is my rule:
alert ip !172.17.76.0/24 any -> 172.17.76.0/24 any (content:"tcpdump";)
However, this rule does not create any alerts. If I change the source to "any any"
it alerts on some packets with a source and destination on the local subnet, but
still not the ones with a source outside the local subnet... I can attach the pcap
file if anyone wants to see it, but it's kind of large (just over 300K). Can anyone
give me hint on where I went wrong?
Thanks!
Doug
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:02:10 EDT