Snort mailing list archives
Re: Help with a rule
From: Luis Daniel Lucio Quiroz <luis.daniel.lucio () gmail com>
Date: Fri, 6 Mar 2009 12:22:42 -0600
Thx However I apply the rule: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type detected in web traffic"; flow:established,from_server; content:"Content-Type |3A| text/"; nocase; sid:1000001; rev:1; \ classtype:web-application-activity;) I got ERROR: Warning: rules/local.rules(10) => Unknown keyword ' sid' in rule! Fatal Error, Quitting.. What I missing? regards, LD On Friday 06 March 2009 08:12:54 Alex Kirk wrote:
First of all, depending on just how much you want to log, going with "alert" instead of "log" and skipping the "tag:session;" may be smart - it would be easy to overload your IDS with this if it's not very powerful, or if it's attempting to do anything else. That said, the rule you'd want for a purpose like this - which I'm sure you realize is only stopgap, since it's really the web app's job to be doing logging like this - would look more like: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg"text mime type detected in web traffic"; flow:established,from_server; content:"Content-Type|3A| text/"; nocase; classtype:web-application-activity; sid:1000001; rev:1;) Key differences: * $HTTP_PORTS is actually a default Snort variable, as opposed to $PORT_HTTP * Since the Content-Type header will be present in things coming *from* the web server, and not going to it, the direction is set properly now * "flow:established,from_server"; will save Snort a lot of work looking at packets that will never match, based on them being in the wrong part of the TCP stream * The "|3A|" in the content is necessary, because a colon in a content clause will cause a syntax error * Removed "http_header", since it's for client requests, and you're looking for server responses * Removed quotes from the classtype, as that's another fatal syntax error Hope that helps. Alex Kirk Research Analyst Sourcefire, Inc. On Thu, Mar 5, 2009 at 11:21 PM, Frank Knobbe <frank () knobbe us> wrote:On Thu, 2009-03-05 at 21:38 -0600, Paul Schmehl wrote:Logs al http packets that has a text/* mime type.alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type detected in web traffic"; content:"Content-Type: text/"; http_header; classtype:"web-application-activity"; sid:1000001; rev:1;)Does it capture all packets? Does it log? (Your rule alerts) Strictly speaking, you probably would want to use the following modifications for his specific need: log tcp any any -> any $PORT_HTTP (msg:"text mime type detected in web traffic"; content:"Content-Type: text/"; http_header; classtype:"web-application-activity"; sid:1000001; rev:1; tag:session;) :) Cheers, Frank ------------------------------------------------------------------------- ----- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASn ort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Joel Esler (Mar 05)
- Re: Help with a rule Paul Schmehl (Mar 05)
- Re: Help with a rule Frank Knobbe (Mar 05)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Alex Kirk (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Message not available
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Markus Lude (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 05)