Snort not detecting outgoing traffic
Posted
by
Reacen
on Server Fault
See other posts from Server Fault
or by Reacen
Published on 2013-11-13T14:36:15Z
Indexed on
2013/11/13
15:59 UTC
Read the original article
Hit count: 196
snort
I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this:
# Entire content of Snort.conf:
alert tcp any any -> any any (sid:5000000; content:"_secret_"; msg:"TRIGGERED";)
# command line:
snort.exe -c etc/Snort.conf -l etc/log -A console
Using my browser, I send the string "_secret_" in the url to my server (where Snort is located). Example: http://myserver.com/index.php?_secret_
Snort receives it and throws an alert, it works, no problem ! But when I try something like this :
<?php // (index.php)
header('XTest: _secret_'); // header
echo '_secret_'; // data
?>
If I just request http://myserver.com/index.php
, it does not work or detect anything from the outgoing traffic even though the php file is sending the same string both in headers and in data, with no compression/encoding or whatsoever. (I checked using Wireshark)
This looks to me like a Snort problem. No matter what I do it only detects receiving packets. Did anyone ever face this sort of problems with Snort ? Any idea how to fix it ?
© Server Fault or respective owner