Snort mailing list archives
Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream
From: Qasim Javed <qasim.javed () ebryx com>
Date: Sun, 6 Dec 2015 01:33:03 +0500
Thanks a lot. It worked for me. Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan On 4 December 2015 at 19:54, Ronald Hill <ronald.hill () dunbarsecured com> wrote:
Great knowledge share. Thanks. *Ron Hill * SOC Analyst I Dunbar Security Solutions http://dunbarcybersecurity.com ------------------------------ *From:* Al Lewis (allewi) <allewi () cisco com> *Sent:* Friday, December 4, 2015 9:09 AM *To:* Qasim Javed *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Hello, Have you tried using flowbits? You could try setting a flowbit if the first content is seen then create another rule to check for that flowbit and alert if the second content is there. http://manual.snort.org/node470.html flowbits - SNORT Users Manual 2.9.7 General Format Up: Non-Payload Detection Rule Options Previous: Examples Contents flowbits The flowbits keyword is used in conjunction with conversation tracking from ... Read more... <http://manual.snort.org/node470.html> From the manual: “The flowbits keyword is used in conjunction with conversation tracking from the Stream preprocessor (see Section[*]). It allows rules to track states during a transport protocol session. The flowbits option is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol” Checkout the README.flowbits for examples. Sample Rules ------------ alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in;) alert tcp any any -> any 143 (msg:"IMAP lsub"; content:"LSUB"; flowbits:isset,logged_in;) alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT LOGIN"; content:"LIST"; flowbits:isnotset,logged_in;) alert tcp any any -> any any (msg:"JPG transfer"; content:".JPG"; nocase; flowbits:set,http.jpg,file_type;) Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Qasim Javed [mailto:qasim.javed () ebryx com] *Sent:* Thursday, December 03, 2015 5:30 AM *To:* snort-users () lists sourceforge net *Subject:* [SUSPICIOUS] [Snort-users] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Hi. I have enabled TCP reassembly in snort.conf and have *set paf_max to 63780 *but my pcap to be analyzed contains response of bytes greater than 100000 and we can find two contents which must come in 63780 but my *content_no.1* is in first *63780* and *content_no.2* is in 2nd chunk of bytes got after flushing.So my rule is not generating alert, how can i fix this issue and make it unlimited. I have attached *snort.conf*. Best Regards, Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. | Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan [image: Image removed by sender.]
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Qasim Javed (Dec 03)
- Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Al Lewis (allewi) (Dec 04)
- Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Ronald Hill (Dec 04)
- Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Qasim Javed (Dec 05)
- Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Ronald Hill (Dec 04)
- Re: [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream Al Lewis (allewi) (Dec 04)