Snort mailing list archives
Re: Content Rule problem
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Sun, 17 Sep 2017 14:01:03 +0000
Try this (conf and pcap are attached). The content is matched in the file transferred and in the request. [alewis@localhost snort-2.9.9.0-released]$ ./bin/snort -c etc/ledi.conf -r etc/ledi.pcap -Acmg -k none -q 09/17-09:12:45.312281 [**] [1:1000001:0] Keyword found [**] [Priority: 1] {TCP} 1.1.1.1:1792 -> 2.2.2.2:80 09/17-09:12:45.312281 00:55:44:33:22:11 -> 00:11:22:33:44:55 type:0x800 len:0x1D4 1.1.1.1:1792 -> 2.2.2.2:80 TCP TTL:64 TOS:0x0 ID:13533 IpLen:20 DgmLen:454 ***AP*** Seq: 0x971 Ack: 0xB51 Win: 0x16D0 TcpLen: 20 47 45 54 20 2F 66 61 6B 65 6E 65 77 73 2F 74 6D GET /fakenews/tm 70 25 32 66 6C 65 64 69 25 32 65 74 78 74 20 48 p%2fledi%2etxt H 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 TTP/1.1..Host: w 72 6C 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 rl..User-Agent: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 Mozilla/5.0 (X11 3B 20 55 3B 20 4C 69 6E 75 78 20 69 36 38 36 3B ; U; Linux i686; 20 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 38 2E 31 en-US; rv:1.8.1 2E 31 37 29 20 47 65 63 6B 6F 2F 32 30 30 38 31 .17) Gecko/20081 30 30 37 20 46 69 72 65 66 6F 78 2F 32 2E 30 2E 007 Firefox/2.0. 30 2E 31 37 0D 0A 41 63 63 65 70 74 3A 20 74 65 0.17..Accept: te 78 74 2F 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 xt/xml,applicati 6F 6E 2F 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 on/xml,applicati 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 74 65 78 on/xhtml+xml,tex 74 2F 68 74 6D 6C 3B 71 3D 30 2E 39 2C 74 65 78 t/html;q=0.9,tex 74 2F 70 6C 61 69 6E 3B 71 3D 30 2E 38 2C 69 6D t/plain;q=0.8,im 61 67 65 2F 70 6E 67 2C 2A 2F 2A 3B 71 3D 30 2E age/png,*/*;q=0. 35 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 5..Accept-Langua 67 65 3A 20 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 ge: en-us,en;q=0 2E 35 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 .5..Accept-Encod 69 6E 67 3A 20 67 7A 69 70 2C 64 65 66 6C 61 74 ing: gzip,deflat 65 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 e..Accept-Charse 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 75 74 t: ISO-8859-1,ut 66 2D 38 3B 71 3D 30 2E 37 2C 2A 3B 71 3D 30 2E f-8;q=0.7,*;q=0. 37 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 7..Keep-Alive: 3 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 00..Connection: 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A keep-alive.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-09:12:49.318085 [**] [1:1000000:0] ledi in a file [**] [Priority: 0] {TCP} 2.2.2.2:80 -> 1.1.1.1:1792 09/17-09:12:49.318085 00:11:22:33:44:55 -> 00:55:44:33:22:11 type:0x800 len:0x5F 2.2.2.2:80 -> 1.1.1.1:1792 TCP TTL:64 TOS:0x0 ID:3631 IpLen:20 DgmLen:81 ***AP*** Seq: 0xCAF Ack: 0xB0F Win: 0x16D0 TcpLen: 20 54 68 69 73 20 66 69 6C 65 20 68 61 73 20 74 68 This file has th 65 20 63 6F 6E 74 65 6E 74 20 27 6C 65 64 69 27 e content 'ledi' 20 69 6E 20 69 74 2E 0A 0A in it... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of Keith Seymour via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Reply-To: Keith Seymour <keseymour () gmail com<mailto:keseymour () gmail com>> Date: Sunday, September 17, 2017 at 9:48 AM To: redion xhepa <redionxhepa () live com<mailto:redionxhepa () live com>>, "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Subject: Re: [Snort-sigs] Content Rule problem When I Google search it defaults to https, you wouldn't see that. You could use telnet or post the term to an unprotected forum? Thanks, Keith On Sun, Sep 17, 2017 at 6:46 AM redion xhepa via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: I have written these rules in Snort.It detects the first three but not the content one.Why ? alert icmp any any -> any any (msg: "ICMP Packet found"; sid: 1000001;) alert tcp any any -> any any (msg: "TCP Packet found";sid: 1000002;) alert udp any any -> any any (msg: "UDP Packet found";sid: 1000003;) alert tcp any any -> any any (content: "ledi";nocase; msg: "Keyword found";sid: 1000004;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Attachment:
ledi.conf
Description: ledi.conf
Attachment:
ledi.pcap
Description: ledi.pcap
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Content Rule problem redion xhepa via Snort-sigs (Sep 17)
- Message not available
- Message not available
- Fw: Content Rule problem redion xhepa via Snort-sigs (Sep 17)
- Re: Fw: Content Rule problem wkitty42 (Sep 17)
- Re: Content Rule problem redion xhepa via Snort-sigs (Sep 17)
- Message not available
- Message not available
- Re: Content Rule problem Keith Seymour via Snort-sigs (Sep 17)
- Re: Content Rule problem Al Lewis (allewi) via Snort-sigs (Sep 17)