Snort mailing list archives
Re: Port problems in a rule
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 20 Oct 2014 12:17:29 -0400
On 10/20/2014 9:46 AM, Kurzawa, Kevin wrote:
Wireshark shows a packet from local to testmyids.com where "Host: testmyids.com" appears in a GET request. It is indeed port 80. This was triggered via browsing to the URI testmyids.com. It appears I'm not as familiar with what exactly the "content" looks at vs what the "pcre" looks at. The snort manual didn't really clear things up for me. I thought they were two ways to search for the same stuff. Content: content in the packet payload. PCRE: Doesn't state exactly what it looks at. The content filter should pick up the "Host: testmyids.com" inside of a HTTP packet with the following rule, right? alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content:"testmyids.com";) But it does not.
the host entry is in the http header... it appears that you need to modify your rule in one of two ways... either use http_header; after your content or use raw_packet (i /think/ that's it)... in this way, snort will know which buffer to search for the content in... i would probably go with http_header since that is where the content you are looking for resides... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Port problems in a rule Kurzawa, Kevin (Oct 17)
- Re: Port problems in a rule waldo kitty (Oct 17)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 20)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 17)