Snort mailing list archives
Re: Issue while detecting patterns in a simple HTTP Page [Web client based]
From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 22 Nov 2010 08:32:28 -0500
This is most likely an issue with your server_flow_depth variable, which controls the amount of payload being returned from a web server that is inspected by Snort. By default, it's set to 300 bytes - generally enough to get the HTTP headers and not a great deal else. You can up the value as desired, including setting it to 0 if you want to inspect everything that's returned from a web server. Note that, if you do and you're on a busy network, you may see some performance issues - HTTP traffic is generally around 90% of what you get on a standard Internet connection, and what comes down from servers is generally 90% or so of that traffic. Of course, if you're a home user or a SMB, you'll probably be fine, assuming you're running on a decent, modern box. On Sun, Nov 21, 2010 at 11:57 PM, Sujit Ghosal <thesujit () gmail com> wrote:
Below is my snort rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HTTP Test Rule"; flow:established,to_client; content:"html"; nocase; classtype:web-application-attack; reference:url, www.exploit-db.com/exploits/999999; sid:9000; rev:1;) And this is my snort.conf file entries: http://vim.pastey.net/143149 - Sujit On Mon, Nov 22, 2010 at 6:43 AM, waldo kitty <wkitty42 () windstream net>wrote:On 11/21/2010 13:59, Sujit Ghosal wrote:Hey Guys, I have installed Snort v2.8.x in FC-13//Ubuntu v10.10 andeverything gotinstalled/configured (installed through Redhat Package Manager//SynapticPackageManager) successfully. But while writing a rule to detect a simplepatterninside HTML body, snort is failing to do so! If I check for the HTTPMIMEheaders only i.e. "Content-Type:", "Via:" etc. then snort detects thosepatternsflawlessly. Even I wrote a simple rule to detect GET requests over$HTTP_PORTSand its working fine.can you post the rule that you have that is not working??But while it comes to check for the contents inside the HTML body(client sideweb pages) entity then snort is not even detecting a single <html> tag.I guess,its an issue with any preprocessors, but I have no idea that whichpreprocessorcould be creating such issues.we might need to see your snort.conf file, too... but let's look at your rule first ;)I am fully stuck in that place and not able to figure out that how Ishould fixthis silly problem. Please help. Any help would be more appreciated.we will do what we can :) ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Issue while detecting patterns in a simple HTTP Page [Web client based] Sujit Ghosal (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] waldo kitty (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] Sujit Ghosal (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] Alex Kirk (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] Sujit Ghosal (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] waldo kitty (Nov 22)