Snort mailing list archives
Re: Advice on multiple packet capture
From: Matt Olney <molney () sourcefire com>
Date: Wed, 14 Jan 2009 09:13:08 -0500
Hint - Pay attention to client side reassembly, the default is not to reassemble on traffic TO the client. Matt On Wed, Jan 14, 2009 at 5:38 AM, Leon Ward <seclists () rm-rf co uk> wrote:
Hi The flowbit is only valid for the stream where it has been set. The two GET's for the JPG files (as you stated) will be in separate requests so flowbits wont help you here. Instead of focusing on the URI of the GET, how about you focus on the HTML source of the web page that contains the <img src="a.jpg"> tags? Hints - Check out http_inspect's flow_depth - Pay attention to the encoding used by the webserver serving the HTML. -Leon On 14 Jan 2009, at 07:39, pieter claassen wrote: Yes, I agree. What you need to do is write two sets of rules that are statefull: Something like this: Rule1: uricontent:a.jpg; flowbits:set, ajpg.seen; noalert Rule2: flowbits:isset,ajpg.seen, uricontent:b.jpg; msg: "saw a.jpg and then b.jpg" Rule3: uricontent:b.jpg; flowbits:set, bjpg.seen; noalert Rule4: flowbits:isset,bjpg.seen; uricontent:a.jpg; msg: "saw b.jpg and then a.jpg" Regards, Pieter On Mon, Jan 12, 2009 at 10:23 PM, jeffs <jeffs () speakeasy net> wrote:I've been using Snort and still consider myself a newbie although I am fairly familiar with writing basic rules. Unfortunately, the feat I need to perform may need a more advanced set of eyes so I am hoping someone on this list may be able to help me out. I need to get only 1 alert on two separate GET requests that contain different .jpg file names. For example, there is a web page, it contains A.jpg and B.jpg. If someone looks at it I want to be able to get one alert but NOT if they look at a different page which contains A.jpg and NOT B.jpg or still yet a different page that contains B.jpg and NOT A.jpg. Only on the page the contains BOTH .jpgs should generate 1 alert. I've tried the within keyword but I believe this only searches within a single packet and as the two separate jpg files are sent via two separate GET requests, I believe I am working with more than one packet, am I correct in that assumption? thanks for any advice. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Advice on multiple packet capture jeffs (Jan 12)
- Re: Advice on multiple packet capture bob harley (Jan 13)
- Re: Advice on multiple packet capture pieter claassen (Jan 13)
- Re: Advice on multiple packet capture Leon Ward (Jan 14)
- Re: Advice on multiple packet capture Matt Olney (Jan 14)
- Re: Advice on multiple packet capture jeffs (Jan 14)
- Re: Advice on multiple packet capture Leon Ward (Jan 14)