Re: Question about a Snort rule

[Nigel Houghton <nhoughton () sourcefire com>]

On Fri, 25 Feb 2011 09:21:14 -0600, Miso Patel wrote:
> My engineers are having trouble with a custom rule:
>
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)
>
> Any help would be appreciated.  The rule does not seem to be alerting
> for some reason and I think this could be a bug with Snort.
>
> Thanks.
>
> Miso, CISO

Your rule is looking for "iPad" in a URI. So for the event to occur you 
would need something like http://www.foobar.com/foo/iPad

Additionally, you are using "flags:S;" so the only data you are looking 
at is in SYN packets, so there won't be a URI in the packets anyway.

Take a look at the latest Snort manual, there are examples of rules 
using the http options in there, get some packet capture data of the 
traffic you wish to detect and take it from there.

I'm guessing you will have more questions as you proceed, feel free to 
email the list with them. Send your revised rule to the list if you 
like for further inspection.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org