Re: Reg: Snort Rule for HTTP traffic

["Ravi Menon" <ravi.menon () eclinicalworks com>]

Hi Al,

Thanks for responding to my query.

 

Here are the variables as in snort.conf

 

ipvar HOME_NET 10.10.10.1/24

 

# Set up the external network addresses. Leave as "any" in most situations

ipvar EXTERNAL_NET 10.10.20.1/24

 

#Setting up HTTP Serververs network

ipvar HTTP_SERVERS 10.10.10.1/32

 

# List of ports you run web servers on

portvar HTTP_PORTS [8080]

 

The rule once again for reference(This is in
preproc_rules/preprocessor.rules)

 

alert tcp !$HOME_NET any ->  $HTTP_SERVERS $HTTP_PORTS (msg: "Detected
Traffic "; flow:to_server,established; sid: 1000001; rev:1; metadata:
service http; session: printable;)

 

 

With the rule I mentioned above, the alerting is working fine, it logs the
alert correctly i.e., If the IP is from HOME_NET (10.10.10.x), then it logs
the alert (msg: "Detected Traffic) or else it dosen't.

Problem is with the dumping of the HTTP Session , i.e., it's dumping the
session if the originating request is from outside i.e., !(10.10.10.x) as
well as its  dumping the session for 10.10.10.x as well.

What I wish for it to accomplish is that it ignore the HTTP Sessions for
10.10.10.x (HOME_NET) and just dump the Sessions for traffic / requests
originating from other Networks like say 10.10.20.x,..

 

To explain what I mean by dumping of the HTTP Session:

 

I believe this part of the rule triggers it: metadata: service http;
session: printable;

 

In the snort log directory, a folder is created with the IP of the server
from where the request originated from and it contains a SESSION:XXXX-8080
file with information like:

 

GET  ( The actual HTTP Request)

Host: 

User-Agent: 

Accept: text:

Accept-Language:

Accept-Encoding: gzip, deflate

 

 

Thanks

Ravi Menon

 

 

From: Al Lewis (allewi) [mailto:allewi () cisco com] 
Sent: Tuesday, April 07, 2015 11:15 AM
To: Ravi Menon; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Reg: Snort Rule for HTTP traffic

 

Hello,

 

                Is your HTTP_SERVERS listed under your HOME_NET variable
definition?

 

Can you give an example of the traffic that isn't alerting as intended?

 

 

Thanks!

 

Albert Lewis

QA Software Engineer

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email: allewi () cisco com 

 

From: Ravi Menon [mailto:ravi.menon () eclinicalworks com] 
Sent: Tuesday, April 07, 2015 10:26 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Reg: Snort Rule for HTTP traffic

 

Hi,

 

I have been struggling with a particular rule for some time now and was
hoping for some ideas to resolve my problem.

 

Here is what I wish to achieve:

 

If any IP's outside my $HOME_NET initiates HTTP communication with my
$HTTP_SERVERS server, I want an alert to be generated for the same and the
HTTP request dumped as well so that I can review it later.

 

Here is what I am doing currently (preprocessor rule):

 

alert tcp !$HOME_NET any ->  $HTTP_SERVERS $HTTP_PORTS (msg: "Detected
Traffic "; flow:to_server,established; sid: 1000001; rev:1; metadata:
service http; session: printable;)

 

I have the stream5 , http_inspect preprocessors configured in snort.conf

What this does is although it generates alert correctly and prints the HTTP
session for requests coming from outside $HOME_NET , it is also printing the
HTTP session for traffic from within my $HOME_NET server ip's , so basically
all HTTP traffic is being dumped at this point. I am using a /24 mask for
$HOME_NET and /32 mask for my $HTTP_SERVERS.

Is there something I am missing ? Or will another approach help?

Any help/guidance will be greatly appreciated.

 

Thanks

Ravi Menon

CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains confidential
information belonging to the sender that is legally privileged and
proprietary and may be subject to protection under the law, including the
Health Insurance Portability and Accountability Act (HIPAA). If you are not
the intended recipient of this e-mail, you are prohibited from sharing,
copying, or otherwise using or disclosing its contents. If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and permanently delete this e-mail and any attachments without reading,
forwarding or saving them. Thank you. 



CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains confidential information belonging to the sender that 
is legally privileged and proprietary and may be subject to protection under the law, including the Health Insurance 
Portability and Accountability Act (HIPAA). If you are not the intended recipient of this e-mail, you are prohibited 
from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please 
notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, 
forwarding or saving them. Thank you.

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!