Re: Question about a Snort rule

[Matt Olney <molney () sourcefire com>]

That and it is fairly rare to find URI data or TCP flags in UDP packets.

On Fri, Feb 25, 2011 at 11:14 AM, Nigel Houghton
<nhoughton () sourcefire com>wrote:

> On Fri, 25 Feb 2011 09:55:02 -0600, Miso Patel wrote:
> > OK, I now understand why just looking for 'flags:S;' doesn't make
> > sense but we want to alert on a situation where there is an
> > established UDP connection AND 'iPad' in the URI so we are trying this
> > one now (without luck but I feel we are getting closer):
> >
> > alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> > request"; content:"iPad"; http_uri; nocase; flags:A+;
> > classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> > sid:18954545; rev:2;)
>
> Well, as Will already pointed out, you can now use
> "flow:to_server,established;" with UDP rules. You will need the
> "track_udp yes," in your snort.conf for this to work. (it is in the
> snort.conf that ships with current versions of snort and in the rule
> tar balls too) The "flow" option completely replaced "flags" a number
> of years ago.
>
> The next thing is, you won't see "iPad", or anything else for that
> matter, in an HTTP URI request. So, if your intent is to detect iPads
> that are using UDP for communications, and you know that iPad will be
> in that data, then you should remove the "http_uri" content modifier
> altogether.
>
> If you were wanting to detect iPads trying to access web resources,
> then you would be looking at TCP data and most likely you would want to
> look in the HTTP headers for a request. In which case you would use
> "http_header" as a content modifier.
>
> If you have more information on what exactly you are trying to do, it
> would help the folks on the list to assist.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/
>
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org