Snort mailing list archives
(no subject)
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Tue, 22 Oct 2002 22:36:45 -0500
A group of us that use and monitor snort related stuff meets every so often to talk about 'stuff'... And though I think I've heard this before, I can't seem to find it. So here it is: It would be highly "COOL" if there were a flag that could be set within a rule that identified what type of response was returned from an HTTP daemon. This way, web rules would be able to have many false positives removed, since in the vast majority of cases an non OK (200) message would mean the attempt failed. I relize it may cause problems, because you're requiring the inspection of multiple packets... And some rules that have uricontent actually are responses from servers, so I'm not really sure how all that would work out at this point.... So a rule could be created as such: Original -> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:3;) New -> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; http-status-code:successful; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:3;) Possible groupings for different types of responses: 1. successful one of the 200's and possibly 300's 2. failure any 400 or 500 3. serverror any 500 4. bad any 400 5. redir any 300 (possibly excluding 304) 6. ok 200 (possibly all other 200s) Should probably also allow a comma seperated list of http status codes. And the name for it can easily be different (http-return-code, httpcode, httpreturn, httpstatus...) http://www.w3.org/Protocols/HTTP/HTRESP.html ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject), (continued)
- (no subject) counterping (Oct 08)
- Re: (no subject) Matt Kettler (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
- Re: (no subject) hackerwacker (Oct 14)
- Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
- Re: (no subject) Erek Adams (Oct 27)
- (no subject) Philippe Dhont (Sea-ro) (Nov 18)
- Re: (no subject) Xavi Altafulla (Nov 18)
- (no subject) counterping (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- Error using the -T option Mike Koponick (Dec 10)
- Re: Error using the -T option Erick Mechler (Dec 10)
- RE: Error using the -T option Mike Koponick (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- (no subject) counterping (Oct 08)