Snort mailing list archives
rule?
From: Frank Calone <fc10011001 () gmail com>
Date: Tue, 13 Aug 2013 17:18:30 -0400
I’m trying to alert when I find this pattern within say the first 15 bytes of the file data of an http session. My rule is not working and I don’t know why. I have a pcap file and am playing it back as follows: snort –dvr file1.pcap –c /etc/snort/snort.conf The stats at the end show zero alerts. Here is my rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"pcap file hit"; flow:to_client,established; content:"Content-Type: text/html"; http_header; content:"|0d 0a|"; http_header; file_data; content:"|1f 2f|"; depth:15; flowbits:set,tagged; tag:session,0,packets,1000,seconds; sid:3889999; rev:0;) so, I am looking for hex “1f 2f” within the first 15 bytes of the file data of the http session. The pcap data has the following info: 64 69 6E 67 3A 20 63 68 75 6E 6B 65 64 0D 0A 43 ding: chunked..C 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 ontent-Type: tex 74 2F 68 74 6D 6C 0D 0A 0D 0A 52 50 30 30 1F 2F t/html....RP00./ 18 56 61 88 18 1B 18 20 20 1C 20 18 18 E7 E7 18 .Va............. Frank
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!