Snort mailing list archives
Re: Problem with http_header content modifier
From: Frederico Araujo <araujof () gmail com>
Date: Fri, 10 Jul 2015 13:43:02 -0400
Thanks for your reply, Waldo! does it work if you use http_raw_header instead?
No. I used http_raw_header and disabled fast_pattern:only, and it didn't alert. what does a packet capture of that packet look like?
13:34:27.679160 IP (tos 0x0, ttl 128, id 24583, offset 0, flags [DF], proto TCP (6), length 128) 192.168.134.1.56096 > 192.168.134.138.80: Flags [P.], cksum 0xc44f (correct), seq 2669151629:2669151717, ack 2652066135, win 256, length 88 0x0000: 4500 0080 6007 4000 8006 0c94 c0a8 8601 E...`.@......... 0x0010: c0a8 868a db20 0050 9f18 058d 9e13 5157 .......P......QW 0x0020: 5018 0100 c44f 0000 4745 5420 2f63 6769 P....O..GET./cgi 0x0030: 2d62 696e 2f74 6573 742d 6367 6920 4854 -bin/test-cgi.HT 0x0040: 5450 2f31 2e31 0d0a 486f 7374 3a20 3139 TP/1.1..Host:.19 0x0050: 322e 3136 382e 3133 342e 3133 380d 0a55 2.168.134.138..*U* 0x0060: 7365 722d 4167 656e 743a 2074 6573 740d *ser-Agent:.test*. 0x0070: 0a41 6363 6570 743a 202a 2f2a 0d0a 0d0a .Accept:.*/*....
lastly, i see you are using $EXTERNAL_NET and $HOME_NET and your snort is on a NATed VM... is your snort looking at the raw unNATed data on the outside interface of your VM?
Good question. How do I check that? This is how I'm starting snort: sudo /usr/local/bin/snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 and this is my eth0 interface: eth0 Link encap:Ethernet HWaddr 00:0c:29:c5:ec:b3 inet addr:192.168.134.138 Bcast:192.168.134.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fec5:ecb3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:30891 errors:0 dropped:0 overruns:0 frame:0 TX packets:15517 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16854013 (16.8 MB) TX bytes:2368127 (2.3 MB)
perhaps your $EXTERNAL_NET doesn't encompass the IP you are testing from? what are the contents of your $EXTERNAL_NET and $HOME_NET along with your testing IP and your snort's IP?
I think it does encompass the IP, because my simple ICMP and TCP rules (without http_header) work just fine. EXTERNAL_NET = any HOME_NET = 192.168.134.138 (I also tested with 192.168.134.0/24) testing IP = 192.168.134.1 (host) snort IP = 192.168.134.138 (VM where snort is installed) Thanks, Fred
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier waldo kitty (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier waldo kitty (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier waldo kitty (Jul 10)