Snort mailing list archives
Re: Reg: Snort Rule for HTTP traffic
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 7 Apr 2015 15:14:32 +0000
Hello, Is your HTTP_SERVERS listed under your HOME_NET variable definition? Can you give an example of the traffic that isn't alerting as intended? Thanks! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Ravi Menon [mailto:ravi.menon () eclinicalworks com] Sent: Tuesday, April 07, 2015 10:26 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Reg: Snort Rule for HTTP traffic Hi, I have been struggling with a particular rule for some time now and was hoping for some ideas to resolve my problem. Here is what I wish to achieve: If any IP's outside my $HOME_NET initiates HTTP communication with my $HTTP_SERVERS server, I want an alert to be generated for the same and the HTTP request dumped as well so that I can review it later. Here is what I am doing currently (preprocessor rule): alert tcp !$HOME_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "Detected Traffic "; flow:to_server,established; sid: 1000001; rev:1; metadata: service http; session: printable;) I have the stream5 , http_inspect preprocessors configured in snort.conf What this does is although it generates alert correctly and prints the HTTP session for requests coming from outside $HOME_NET , it is also printing the HTTP session for traffic from within my $HOME_NET server ip's , so basically all HTTP traffic is being dumped at this point. I am using a /24 mask for $HOME_NET and /32 mask for my $HTTP_SERVERS. Is there something I am missing ? Or will another approach help? Any help/guidance will be greatly appreciated. Thanks Ravi Menon CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains confidential information belonging to the sender that is legally privileged and proprietary and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Reg: Snort Rule for HTTP traffic Ravi Menon (Apr 07)
- Re: Reg: Snort Rule for HTTP traffic Al Lewis (allewi) (Apr 07)
- Re: Reg: Snort Rule for HTTP traffic Ravi Menon (Apr 07)
- Re: Reg: Snort Rule for HTTP traffic Al Lewis (allewi) (Apr 07)