Snort not detecting outgoing traffic

Posted by Reacen on Server Fault See other posts from Server Fault or by Reacen
Published on 2013-11-13T14:36:15Z Indexed on 2013/11/13 15:59 UTC
Read the original article Hit count: 191

Filed under:

snort

I'm using Snort 2.9 on windows server 2008 R2 x64, with a very simple configuration that goes like this:

# Entire content of Snort.conf:
alert tcp any any -> any any (sid:5000000; content:"_secret_"; msg:"TRIGGERED";)

# command line:
snort.exe -c etc/Snort.conf -l etc/log -A console

Using my browser, I send the string "_secret_" in the url to my server (where Snort is located). Example: http://myserver.com/index.php?_secret_

Snort receives it and throws an alert, it works, no problem ! But when I try something like this :

<?php // (index.php)
header('XTest: _secret_'); // header
echo '_secret_'; // data
?>

If I just request http://myserver.com/index.php, it does not work or detect anything from the outgoing traffic even though the php file is sending the same string both in headers and in data, with no compression/encoding or whatsoever. (I checked using Wireshark)

This looks to me like a Snort problem. No matter what I do it only detects receiving packets. Did anyone ever face this sort of problems with Snort ? Any idea how to fix it ?

Related posts about snort

Snort: not logging anything

as seen on Server Fault - Search for 'Server Fault'
My site seems to be the target of quite a bit of probing over the last few months. In an attempt to get a better handle on this I installed SNORT on one of the machines that has external exposure. Something must not be installed correctly as I see lots of probing in /var/log/messages but snort isn't… >>> More
Snort/Barnyard2 Logging

as seen on Server Fault - Search for 'Server Fault'
I need some help with my Snort/Barnyard2 setup. My goal is to have Snort send unified2 logs to Barnyard2 and then have Barnyard2 send the data to other locations. Here is my currrent setup. OS Scientific Linux 6 Snort Version 2.9.2.3 Barnyard2 Version 2.1.9 Snort command snort -c /etc/snort/snort… >>> More
snort analysis of wireshark capture

as seen on Server Fault - Search for 'Server Fault'
I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to burden the router with inline analysis of 20 Mbps… >>> More
Snort's problems in generating alert from Darpa 1998 intrusion detection dataset.

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi. I’m working on DARPA 1998 intrusion detection dataset. When I run snort on this dataset (outside.tcpdump file), snort don’t generate complete list of alerts. It means snort start from last few hours of tcpdump file and generate alerts about this section of file and all of packets in first hours… >>> More
Snort network instruction Mac OS X

as seen on Super User - Search for 'Super User'
I'm trying to learn network intrusion detection. When I try to launch Snort, in IDS mode, I get this message (I'm running Mac OS X): Initializing Network Interface en1 ERROR: OpenPcap() FSM compilation failed: syntax error PCAP command: snort Fatal Error, Quitting.. How can I fix this problem… >>> More

Developer IT