Snort mailing list archives
Re: Issue while detecting patterns in a simple HTTP Page [Web client based]
From: Sujit Ghosal <thesujit () gmail com>
Date: Mon, 22 Nov 2010 10:27:19 +0530
Below is my snort rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HTTP Test Rule"; flow:established,to_client; content:"html"; nocase; classtype:web-application-attack; reference:url, www.exploit-db.com/exploits/999999; sid:9000; rev:1;) And this is my snort.conf file entries: http://vim.pastey.net/143149 - Sujit On Mon, Nov 22, 2010 at 6:43 AM, waldo kitty <wkitty42 () windstream net>wrote:
On 11/21/2010 13:59, Sujit Ghosal wrote:Hey Guys, I have installed Snort v2.8.x in FC-13//Ubuntu v10.10 and everythinggotinstalled/configured (installed through Redhat Package Manager//SynapticPackageManager) successfully. But while writing a rule to detect a simplepatterninside HTML body, snort is failing to do so! If I check for the HTTP MIME headers only i.e. "Content-Type:", "Via:" etc. then snort detects thosepatternsflawlessly. Even I wrote a simple rule to detect GET requests over$HTTP_PORTSand its working fine.can you post the rule that you have that is not working??But while it comes to check for the contents inside the HTML body (clientsideweb pages) entity then snort is not even detecting a single <html> tag. Iguess,its an issue with any preprocessors, but I have no idea that whichpreprocessorcould be creating such issues.we might need to see your snort.conf file, too... but let's look at your rule first ;)I am fully stuck in that place and not able to figure out that how Ishould fixthis silly problem. Please help. Any help would be more appreciated.we will do what we can :) ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Issue while detecting patterns in a simple HTTP Page [Web client based] Sujit Ghosal (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] waldo kitty (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] Sujit Ghosal (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] Alex Kirk (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] Sujit Ghosal (Nov 22)
- Re: Issue while detecting patterns in a simple HTTP Page [Web client based] waldo kitty (Nov 22)