Snort mailing list archives
Re: URI content not being identified
From: Jelte <masterjel5000 () hotmail com>
Date: Thu, 8 May 2014 19:27:01 +0200
You said: /Changing the "content:" to "uricontent" or "http_uri" should not work. The "content" keyword allows you to search for a string pattern, in your case "/test.php". Content modifiers on the other hand apply to your content. So to have your rule corrected try something like:// //content:"/test.php"; http_uri;/ I am aware that I should place /http_uri; /separate from the content specification, but this doesn't work. Also I see no reason why replacing "content" with "uricontent" should not work, because as the official Snort documentation says: "This is equivalent to using the http_uri modifier to a content keyword." (refer to http://manual.snort.org/node385.html). You also said: /I would also add flow direction in the rule: flow:to_server, established for example, depending on the direction of the traffic (3-way handshake)./ I agree that this is a preferable addition in order to fine-tune the rule, but adding this makes no difference when I have /'//content:"/test.php"; http_uri;/' in my rule, i.e. it still does not trigger an alert. This also seems logical because it only applies an additional filter. Nonetheless, thanks for your suggestions! I still hope someone is able to help me with this :-) Y M schreef op 5/8/2014 6:06 PM:
Date: Thu, 8 May 2014 17:44:34 +0200 From: masterjel5000 () hotmail com To: snort-users () lists sourceforge net Subject: [Snort-users] URI content not being identified Hello all, I have the following Snort rule: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "HTTP content test"; content: "test.php"; classtype:web-application-attack; sid:5000001; rev:1;) Now when I visit mysite.com/test.php an alert is correctly generated. However, as soon as I change "content" to "uricontent", or add "http_uri;" before the "classtype", no alert is generated. I analyzed the traffic using tshark and I can see requests to "test.php" coming through. Do you know any step I could take that may help to identify what is causing this?Changing the "content:" to "uricontent" or "http_uri" should not work. The "content" keyword allows you to search for a string pattern, in your case "/test.php". Content modifiers on the other hand apply to your content. So to have your rule corrected try something like: content:"/test.php"; http_uri; I would also add flow direction in the rule: flow:to_server, established for example, depending on the direction of the traffic (3-way handshake).Thanks! ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- URI content not being identified Jelte (May 08)
- Re: URI content not being identified Y M (May 08)
- Re: URI content not being identified Jelte (May 08)
- Re: URI content not being identified Y M (May 08)
- Re: URI content not being identified Jelte (May 09)
- Message not available
- Re: URI content not being identified Jelte (May 09)
- Message not available
- Message not available
- Re: URI content not being identified Jelte (May 09)
- Re: URI content not being identified Joel Esler (jesler) (May 12)
- Re: URI content not being identified Jelte (May 12)
- Re: URI content not being identified Jelte (May 08)
- Re: URI content not being identified Y M (May 08)