Snort mailing list archives
Re: Help with a rule
From: Luis Daniel Lucio Quiroz <luis.daniel.lucio () gmail com>
Date: Fri, 6 Mar 2009 13:28:57 -0600
Yes of cours, I did try in one line. I've fix it moving sid and rev at the beginning, like this: log tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (sid:1000001; rev:1; classtype:web-application-activity; msg:"text mime type detected in web traffic"; flow:established,from_server; content:"Content-Type|3A| text"; nocase;) It works, for port 80/tcp. I did chant HTTP_PORTS to point to 80 and 443 tcp. I 'ave also active SSL decode-preprosesor. http://pastebin.com/f30c7280f snort.conf http://pastebin.com/f5268e6b3 rules/local.rules What I'm missing. Regards, LD On Friday 06 March 2009 12:29:09 you wrote:
Did you have the entire rule on one line? It's syntactically correct if it's all on one line (minus the "\" character after "rev"). Alex On Fri, Mar 6, 2009 at 1:22 PM, Luis Daniel Lucio Quiroz < luis.daniel.lucio () gmail com> wrote:Thx However I apply the rule: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type detected in web traffic"; flow:established,from_server; content:"Content-Type |3A| text/"; nocase; sid:1000001; rev:1; \ classtype:web-application-activity;) I got ERROR: Warning: rules/local.rules(10) => Unknown keyword ' sid' in rule! Fatal Error, Quitting.. What I missing? regards, LD On Friday 06 March 2009 08:12:54 Alex Kirk wrote:First of all, depending on just how much you want to log, going with "alert" instead of "log" and skipping the "tag:session;" may be smart -itwould be easy to overload your IDS with this if it's not very powerful,orif it's attempting to do anything else. That said, the rule you'd want for a purpose like this - which I'm sureyourealize is only stopgap, since it's really the web app's job to be doing logging like this - would look more like: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg"text mime type detected in web traffic"; flow:established,from_server; content:"Content-Type|3A| text/"; nocase; classtype:web-application-activity; sid:1000001; rev:1;) Key differences: * $HTTP_PORTS is actually a default Snort variable, as opposed to $PORT_HTTP * Since the Content-Type header will be present in thingscoming*from* the web server, and not going to it, the direction is set properly now * "flow:established,from_server"; will save Snort a lot of worklookingat packets that will never match, based on them being in the wrong partofthe TCP stream * The "|3A|" in the content is necessary, because a colon in a content clause will cause a syntax error * Removed "http_header", since it's for client requests, and you'relookingfor server responses * Removed quotes from the classtype, as that's another fatal syntax error Hope that helps. Alex Kirk Research Analyst Sourcefire, Inc. On Thu, Mar 5, 2009 at 11:21 PM, Frank Knobbe <frank () knobbe us> wrote:On Thu, 2009-03-05 at 21:38 -0600, Paul Schmehl wrote:Logs al http packets that has a text/* mime type.alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type detected in web traffic"; content:"Content-Type: text/"; http_header; classtype:"web-application-activity"; sid:1000001;rev:1;)Does it capture all packets? Does it log? (Your rule alerts) Strictly speaking, you probably would want to use the following modifications for his specific need: log tcp any any -> any $PORT_HTTP (msg:"text mime type detected in web traffic"; content:"Content-Type: text/"; http_header; classtype:"web-application-activity"; sid:1000001; rev:1; tag:session;) :) Cheers, Frank------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Joel Esler (Mar 05)
- Re: Help with a rule Paul Schmehl (Mar 05)
- Re: Help with a rule Frank Knobbe (Mar 05)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Alex Kirk (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Message not available
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Markus Lude (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 05)