Re: Help with a rule

[Luis Daniel Lucio Quiroz <luis.daniel.lucio () gmail com>]

Yes of cours, I did try in one line. 
I've fix it moving sid and rev at the beginning, like this:

log tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (sid:1000001; rev:1;  
classtype:web-application-activity; msg:"text mime type detected in web 
traffic";  flow:established,from_server; content:"Content-Type|3A| text"; 
nocase;)

It works, for port 80/tcp.  I did chant HTTP_PORTS to point to 80 and 443 tcp. 
I 'ave also active SSL decode-preprosesor.

http://pastebin.com/f30c7280f   snort.conf
http://pastebin.com/f5268e6b3   rules/local.rules


What I'm missing.

Regards,

LD

On Friday 06 March 2009 12:29:09 you wrote:
> Did you have the entire rule on one line? It's syntactically correct if
> it's all on one line (minus the "\" character after "rev").
>
> Alex
>
> On Fri, Mar 6, 2009 at 1:22 PM, Luis Daniel Lucio Quiroz <
>
> luis.daniel.lucio () gmail com> wrote:
> > Thx
> >
> > However I apply the rule:
> >
> > alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type
> > detected in web traffic"; flow:established,from_server;
> > content:"Content-Type
> >
> > |3A| text/"; nocase; sid:1000001; rev:1; \
> >
> >  classtype:web-application-activity;)
> >
> > I got
> >
> > ERROR: Warning: rules/local.rules(10) => Unknown keyword ' sid' in rule!
> > Fatal Error, Quitting..
> >
> >
> > What I missing?  regards,
> >
> > LD
> >
> > On Friday 06 March 2009 08:12:54 Alex Kirk wrote:
> > > First of all, depending on just how much you want to log, going with
> > > "alert" instead of "log" and skipping the "tag:session;" may be smart -
> >
> > it
> >
> > > would be easy to overload your IDS with this if it's not very powerful,
> >
> > or
> >
> > > if it's attempting to do anything else.
> > >
> > > That said, the rule you'd want for a purpose like this - which I'm sure
> >
> > you
> >
> > > realize is only stopgap, since it's really the web app's job to be
> > > doing logging like this - would look more like:
> > >
> > > alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg"text mime
> > > type detected in web traffic"; flow:established,from_server;
> > > content:"Content-Type|3A| text/"; nocase;
> > > classtype:web-application-activity; sid:1000001; rev:1;)
> > >
> > > Key differences:
> > >
> > > * $HTTP_PORTS is actually a default Snort variable, as opposed to
> > > $PORT_HTTP * Since the Content-Type header will be present in things
> >
> > coming
> >
> > > *from* the web server, and not going to it, the direction is set
> > > properly now * "flow:established,from_server"; will save Snort a lot of
> > > work
> >
> > looking
> >
> > > at packets that will never match, based on them being in the wrong part
> >
> > of
> >
> > > the TCP stream
> > > * The "|3A|" in the content is necessary, because a colon in a content
> > > clause will cause a syntax error
> > > * Removed "http_header", since it's for client requests, and you're
> >
> > looking
> >
> > > for server responses
> > > * Removed quotes from the classtype, as that's another fatal syntax
> > > error
> > >
> > > Hope that helps.
> > >
> > > Alex Kirk
> > > Research Analyst
> > > Sourcefire, Inc.
> > >
> > > On Thu, Mar 5, 2009 at 11:21 PM, Frank Knobbe <frank () knobbe us> wrote:
> > > > On Thu, 2009-03-05 at 21:38 -0600, Paul Schmehl wrote:
> > > > > > Logs al http packets that has a text/* mime type.
> > > > >
> > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime
> > > > > type detected in web traffic"; content:"Content-Type: text/";
> > > > > http_header; classtype:"web-application-activity"; sid:1000001;
> >
> > rev:1;)
> >
> > > > Does it capture all packets? Does it log? (Your rule alerts)
> > > >
> > > > Strictly speaking, you probably would want to use the following
> > > > modifications for his specific need:
> > > >
> > > > log tcp any any -> any $PORT_HTTP (msg:"text mime type
> > > > detected in web traffic"; content:"Content-Type: text/"; http_header;
> > > > classtype:"web-application-activity"; sid:1000001; rev:1;
> > > > tag:session;)
> > > >
> > > > :)
> > > >
> > > > Cheers,
> > > > Frank
> >
> > -------------------------------------------------------------------------
> >
> > > > ----- Open Source Business Conference (OSBC), March 24-25, 2009, San
> > > > Francisco, CA
> > > > -OSBC tackles the biggest issue in open source: Open Sourcing the
> > > > Enterprise
> > > > -Strategies to boost innovation and cut costs with open source
> > > > participation
> > > > -Receive a $600 discount off the registration fee with the source
> > > > code: SFAD
> > > > http://p.sf.net/sfu/XcvMzF8H
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users<
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-users%0ASn
> >
> > > > ort-users>list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users