Re: Complete packet payload search

[luismanuel.carril () usc es]

Finally I´ve found the problem, I haven´t taking into account that the  
web response is usually gzipped, so any Snort rule that looks in the  
http response payload will only find compressed bytes.

And the http_inspect can´t unzip de response...

Anyway, thank you
Lsui M.


Estase citando Jason Brvenik <jasonb () sourcefire com>:

> It appears that you are looking for a web server response in the rule
> below, You should minimally use tcp, add flow direction, and set
> sid/gid. There is a tool that can help you with your rule syntax,
> check out dumbpig - http://code.google.com/p/dumbpig
>
> On Mon, Oct 26, 2009 at 9:25 AM,  <luismanuel.carril () usc es> wrote:
> > I´ve tried it without seeing any difference, and even disabling the
> > http_inspect to see if snort directly inspect the ip/tcp packet...
> >
> > I may be missing something...
> >
> > > Try setting flow_depth to 0 - this will inspect entire server payload.
> >
> > > On 10/26/2009 06:40 AM, luismanuel.carril@us... wrote:
> > > > Hi,
> > > > I´m trying to use Snort to see if some keywords are crossing the
> > > > network in any kind of packet. But , for example, with the rule:
> > > >
> > > > alert ip any 80 -> any any (content:"foo"; msg:"Foo detected";)
> > > >
> > > > If a webserver send me a response with a webpage with the word
> > > > "foo" it isn´t detected. I´ve seen that http_inspect preprocessor has
> > > > a flow_depth parameter but even with it with the value of 1460, I
> > > > still cannot search all the packet payload.
> > > >
> > > > What parameters I need to change to make this possible?
> > > >
> > > > Thank you
> > > > Luis M.
> > > >
> > > > > ------------------------------------------------------------------------------
> > > > Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> > > > is the only developer event you need to attend this year. Jumpstart your
> > > > developing skills, take BlackBerry mobile applications to market and stay
> > > > ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> > > > http://p.sf.net/sfu/devconference
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users@li...
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > ------------------------------------------------------------------------------
> > Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> > is the only developer event you need to attend this year. Jumpstart your
> > developing skills, take BlackBerry mobile applications to market and stay
> > ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> > http://p.sf.net/sfu/devconference
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users