Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_header ** SOLVED

From: Mike Messick <mikem () tridigitalenterprises com>
Date: Tue, 19 Jan 2010 18:22:45 -0900

I wanted to drop a note to the list saying thanks for the help, and to 
let people know how we solved the issue.

It turns out our proxy server is generating invalid TCP checksums 
(likely due to kernel offloading checksum to NIC), and by default, snort 
appears to drop packets with invalid checksums.

While we still need to fix the proxy server problem, we added the '-k 
none' flag to snort and it's now alerting on http related rules.

Thanks again,
-Mike.


Mike Messick wrote:

No - but when I modify the rule to:

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to microsoft.com"; content:"microsoft.com"; nocase; 
sid:3000004;)

it will fire if I type 'microsoft.com' into the search window on 
www.microsoft.com.

gahh... This feels obvious, but I'm just not seeing it yet.

-Mike.


evilghost () packetmail net wrote:
  

Mike, I'm curious, does this work?

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
www.microsoft.com"; content:"|0d 0a|Host\: www.microsoft.com|0d 0a|"; nocase; 
sid:3000004;)

Note, I did not specify an HTTP method so there is potential to false against body content.

PS - Todd says I don't need to escape colon, I'm old school.

-evilghost





Mike Messick wrote:
  
    

Hi Folks,

I'm trying to write some rules that will alert whenever a specific http 
host is requested by a client.  For example:

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase; 
sid:3000004;)

However I cannot get this rule to alert.  What am I doing wrong? 

I did notice this in the release notes for 2.8.6 Beta:
[*] New Additions
   * HTTP Inspect now splits requests into 5 components -
     Method, URI, Header (non-cookie), Cookies, Body.
     Content and PCRE rule options can now search one or more of these

I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta? 

Any help will be most appreciated.

Thanks,
-Mike.


------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  
    
      



------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
  



------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: