Snort mailing list archives
Re: Returned Errors for CISA Snort Rules
From: "John W. Blue via Snort-sigs" <snort-sigs () lists snort org>
Date: Tue, 11 Jan 2022 03:38:52 +0000
Insights? That is SOP for CISA right there. "We recommend that you should do this *but* if it does not work it is up to you to figure out how we screwed up." You should see the amazing dysfunction of CISA trying to explain how to fill out/answer a data call for any recently released BOD. It happens.every.single.time. John -----Original Message----- From: Snort-sigs [mailto:snort-sigs-bounces () lists snort org] On Behalf Of chris Sent: Thursday, January 6, 2022 6:21 PM To: snort-sigs () lists snort org Subject: [Snort-sigs] Returned Errors for CISA Snort Rules Hello, I've been trying to implement Snort rules provided by the CISA but I'm receiving errors when the classtype field contains the value "http-uri" or "http-header" (examples provided below). These are not default Snort classtypes. Can someone provide some insight on how to either define these classtypes OR provide a good alternative classtype? Thanks in advance for any insight you can provide! Best, Chris alert tcp any any -> any $HTTP_PORTS (msg:"NANOCORE:HTTP GET URI contains 'FAD00979338'"; sid:00000000; rev:1; flow:established,to_server; content:"GET"; http_method; content:"getPluginName.php?PluginID=FAD00979338"; fast_pattern; http_uri; classtype:http-uri; metadata:service http;) alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains 'host|3a 20|polkiuj.top'"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged; content:"host|3a 20|polkiuj.top|0d 0a|"; http_header; fast_pattern:only; flowbits:set,<unique_ID>.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Returned Errors for CISA Snort Rules chris (Jan 10)
- Re: Returned Errors for CISA Snort Rules John W. Blue via Snort-sigs (Jan 11)
- Re: [SUSPECTED SPAM] Returned Errors for CISA Snort Rules Russ Combs (rucombs) via Snort-sigs (Jan 18)