Snort mailing list archives
Re: Complete packet payload search
From: luismanuel.carril () usc es
Date: Mon, 26 Oct 2009 16:37:56 +0100
Finally I´ve found the problem, I haven´t taking into account that the web response is usually gzipped, so any Snort rule that looks in the http response payload will only find compressed bytes. And the http_inspect can´t unzip de response... Anyway, thank you Lsui M. Estase citando Jason Brvenik <jasonb () sourcefire com>:
It appears that you are looking for a web server response in the rule below, You should minimally use tcp, add flow direction, and set sid/gid. There is a tool that can help you with your rule syntax, check out dumbpig - http://code.google.com/p/dumbpig On Mon, Oct 26, 2009 at 9:25 AM, <luismanuel.carril () usc es> wrote:I´ve tried it without seeing any difference, and even disabling the http_inspect to see if snort directly inspect the ip/tcp packet... I may be missing something...Try setting flow_depth to 0 - this will inspect entire server payload.On 10/26/2009 06:40 AM, luismanuel.carril@us... wrote:Hi, I´m trying to use Snort to see if some keywords are crossing the network in any kind of packet. But , for example, with the rule: alert ip any 80 -> any any (content:"foo"; msg:"Foo detected";) If a webserver send me a response with a webpage with the word "foo" it isn´t detected. I´ve seen that http_inspect preprocessor has a flow_depth parameter but even with it with the value of 1460, I still cannot search all the packet payload. What parameters I need to change to make this possible? Thank you Luis M.------------------------------------------------------------------------------Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users@li... Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Complete packet payload search luismanuel . carril (Oct 26)
- Re: Complete packet payload search Todd Wease (Oct 26)
- <Possible follow-ups>
- Re: Complete packet payload search luismanuel . carril (Oct 26)
- Re: Complete packet payload search Jason Brvenik (Oct 26)
- Re: Complete packet payload search luismanuel . carril (Oct 26)
- Re: Complete packet payload search Jason Brvenik (Oct 26)