Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port problems in a rule

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 20 Oct 2014 12:17:29 -0400
On 10/20/2014 9:46 AM, Kurzawa, Kevin wrote:

Wireshark shows a packet from local to testmyids.com where "Host:
testmyids.com" appears in a GET request. It is indeed port 80. This was
triggered via browsing to the URI testmyids.com.

It appears I'm not as familiar with what exactly the "content" looks at vs
what the "pcre" looks at. The snort manual didn't really clear things up for
me. I thought they were two ways to search for the same stuff.

Content: content in the packet payload.
PCRE: Doesn't state exactly what it looks at.

The content filter should pick up the "Host: testmyids.com" inside of a HTTP packet with the following rule, right?
alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content:"testmyids.com";)
But it does not.


the host entry is in the http header... it appears that you need to modify your 
rule in one of two ways... either use http_header; after your content or use 
raw_packet (i /think/ that's it)... in this way, snort will know which buffer to 
search for the content in... i would probably go with http_header since that is 
where the content you are looking for resides...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: