Snort mailing list archives
Re: Question about a Snort rule
From: Matt Olney <molney () sourcefire com>
Date: Fri, 25 Feb 2011 12:31:35 -0500
That and it is fairly rare to find URI data or TCP flags in UDP packets. On Fri, Feb 25, 2011 at 11:14 AM, Nigel Houghton <nhoughton () sourcefire com>wrote:
On Fri, 25 Feb 2011 09:55:02 -0600, Miso Patel wrote:OK, I now understand why just looking for 'flags:S;' doesn't make sense but we want to alert on a situation where there is an established UDP connection AND 'iPad' in the URI so we are trying this one now (without luck but I feel we are getting closer): alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP request"; content:"iPad"; http_uri; nocase; flags:A+; classtype:bad-unknown; reference:url,www.apple.com/ipad/; sid:18954545; rev:2;)Well, as Will already pointed out, you can now use "flow:to_server,established;" with UDP rules. You will need the "track_udp yes," in your snort.conf for this to work. (it is in the snort.conf that ships with current versions of snort and in the rule tar balls too) The "flow" option completely replaced "flags" a number of years ago. The next thing is, you won't see "iPad", or anything else for that matter, in an HTTP URI request. So, if your intent is to detect iPads that are using UDP for communications, and you know that iPad will be in that data, then you should remove the "http_uri" content modifier altogether. If you were wanting to detect iPads trying to access web resources, then you would be looking at TCP data and most likely you would want to look in the HTTP headers for a request. In which case you would use "http_header" as a content modifier. If you have more information on what exactly you are trying to do, it would help the folks on the list to assist. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Question about a Snort rule Miso Patel (Feb 25)
- Re: Question about a Snort rule Will Metcalf (Feb 25)
- Re: Question about a Snort rule Korodev (Feb 25)
- Re: Question about a Snort rule Nigel Houghton (Feb 25)
- Re: Question about a Snort rule Miso Patel (Feb 25)
- Re: Question about a Snort rule Nigel Houghton (Feb 25)
- Re: Question about a Snort rule Matt Olney (Feb 25)
- Re: Question about a Snort rule Miso Patel (Feb 25)
- Re: Question about a Snort rule Randal T. Rioux (Feb 25)