Snort mailing list archives
Can't generate alerts on HTTP GET attacks
From: Sabawoon Mageedzada <sabawoon.majeedzada () gmail com>
Date: Wed, 2 Jul 2014 15:34:17 -0400
Hi everyone, I would appreciate if someone can help me please. I am a new b. I have to generate alerts runing pcap files that contains HTTP GET attacks(Might be a different level of attak) Provded examples after my buddy's request. i have copied these from csv file. Sorry for the format. I have pcap files full of these attacks. But can't figure out a snort rule to generate alerts while running these packets. *This is my snort rule.* alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"some kind of get attack attempt"; flow:to_server,established; content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F "; http_uri; content:"id="; meta; metadata:service http; reference:bugtraq,10129; classtype:web-application-activity; sid:2588001; rev:8;) *These are the attacks I got it from my csv file but they are also in pcap format. I have a lot of these kinds of attacks stored in pcap filesbut can't generate alerts when I run snort on pcap files. * *2010-Oct-07 03:19:14.760262 someip 53181 > someip 80 websiteurl /webcomm/myvidoesVideos/index.php?vid=http://www.vimeo.com/moogaloop.swf?clip_id=1140523/ <http://www.vimeo.com/moogaloop.swf?clip_id=1140523/> **vid=http://www.vimeo.com/moogaloop.swf?clip_id=/ <http://www.vimeo.com/moogaloop.swf?clip_id=/> * 2010-Oct-07 01:18:50.635566 some ip 57991 > some ip 80 urofwebsite /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords= http://revftdrcghjw.com/ HTTP/1.1 2010-Oct-07 01:18:51.615340 some ip 50523 > some ip 80 ureofwebsite /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=http: revftdrcghjw.com/ 2010-Oct-07 01:42:00.631679 someip 34237 > someip 80 urlofwebsite /webcomm/masonVideos/index.php?vid=http:/ www.vimeo.com/moogaloop.swf?clip_id=1140523/ vid=http:/ www.vimeo.com/moogaloop.swf?clip_id=/ HTTP/1.1
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Can't generate alerts on HTTP GET attacks Sabawoon Mageedzada (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Ryan (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Y M (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks rmkml (Jul 02)
- <Possible follow-ups>
- Re: Can't generate alerts on HTTP GET attacks Simon Wesseldine (Jul 03)
- Re: Can't generate alerts on HTTP GET attacks Nicholas Mavis (nmavis) (Jul 08)