Snort mailing list archives

Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream

From: Qasim Javed <qasim.javed () ebryx com>
Date: Sun, 6 Dec 2015 01:33:03 +0500

Thanks a lot. It worked for me.




Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan



On 4 December 2015 at 19:54, Ronald Hill <ronald.hill () dunbarsecured com>
wrote:

Great knowledge share.  Thanks.


*Ron Hill *

SOC Analyst I

Dunbar Security Solutions

http://dunbarcybersecurity.com





------------------------------
*From:* Al Lewis (allewi) <allewi () cisco com>
*Sent:* Friday, December 4, 2015 9:09 AM
*To:* Qasim Javed
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] [SUSPICIOUS] how to set paf_max unlimited to
get all of the http response between <html> and </html> in single stream


Hello,



                Have you tried using flowbits? You could try setting a
flowbit if the first content is seen then create another rule to check for
that flowbit and alert if the second content is there.





http://manual.snort.org/node470.html
flowbits - SNORT Users Manual 2.9.7
General Format Up: Non-Payload Detection Rule Options Previous: Examples
Contents flowbits The flowbits keyword is used in conjunction with
conversation tracking from ...
Read more... <http://manual.snort.org/node470.html>





From the manual:

“The flowbits keyword is used in conjunction with conversation tracking
from the Stream preprocessor (see Section[*]). It allows rules to track
states during a transport protocol session. The flowbits option is most
useful for TCP sessions, as it allows rules to generically track the state
of an application protocol”







Checkout the README.flowbits for examples.





Sample Rules

------------

alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN";
flowbits:set,logged_in;)

alert tcp any any -> any 143 (msg:"IMAP lsub"; content:"LSUB";
flowbits:isset,logged_in;)

alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT LOGIN";
content:"LIST"; flowbits:isnotset,logged_in;)

alert tcp any any -> any any (msg:"JPG transfer"; content:".JPG"; nocase;
flowbits:set,http.jpg,file_type;)









Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Qasim Javed [mailto:qasim.javed () ebryx com]
*Sent:* Thursday, December 03, 2015 5:30 AM
*To:* snort-users () lists sourceforge net
*Subject:* [SUSPICIOUS] [Snort-users] how to set paf_max unlimited to get
all of the http response between <html> and </html> in single stream



Hi.

   I have enabled TCP reassembly in snort.conf and have *set paf_max to
63780 *but my pcap to be analyzed contains response of bytes greater than
100000 and  we can find two contents which must come in 63780 but my
*content_no.1* is in first *63780* and *content_no.2* is in 2nd chunk of
bytes got after flushing.So my rule is not generating alert, how can i fix
this issue and make it unlimited.

I have attached *snort.conf*.



Best Regards,


Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan

[image: Image removed by sender.]

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Qasim Javed (Dec 03)
- Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Al Lewis (allewi) (Dec 04)
  - Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Ronald Hill (Dec 04)
    - Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Qasim Javed (Dec 05)