Snort not detecting outgoing traffic

Posted by Reacen on Server Fault See other posts from Server Fault or by Reacen
Published on 2013-11-13T14:36:15Z Indexed on 2013/11/13 15:59 UTC
Read the original article Hit count: 196

Filed under:

I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this:

# Entire content of Snort.conf:
alert tcp any any -> any any (sid:5000000; content:"_secret_"; msg:"TRIGGERED";)

# command line:
snort.exe -c etc/Snort.conf -l etc/log -A console

Using my browser, I send the string "_secret_" in the url to my server (where Snort is located). Example: http://myserver.com/index.php?_secret_

Snort receives it and throws an alert, it works, no problem ! But when I try something like this :

<?php // (index.php)
header('XTest: _secret_'); // header
echo '_secret_'; // data
?>

If I just request http://myserver.com/index.php, it does not work or detect anything from the outgoing traffic even though the php file is sending the same string both in headers and in data, with no compression/encoding or whatsoever. (I checked using Wireshark)

This looks to me like a Snort problem. No matter what I do it only detects receiving packets. Did anyone ever face this sort of problems with Snort ? Any idea how to fix it ?

© Server Fault or respective owner

Related posts about snort