Snort mailing list archives
Re: Help with a signature
From: Jamie Riden <jamie.riden () gmail com>
Date: Sat, 15 Sep 2012 15:22:43 +0100
Not exactly sure why this didn't match, but you should try uricontent instead of content - it's normalised by the http_preprocessor. I believe there are some bleeding edge rules which match on =http if you want to compare - it's a more general RFI signature. cheers, Jamie On 14 September 2012 14:06, Wilson, Dave <Dave.Wilson () wwt com> wrote:
Hello,****
** **
I'm trying to create a snort rule that will alert on traffic that contains
"rfihub" as part of the url. Here is an example of the TCP stream of a
packet that I'd want to alert on.****
** **
00000000 47 45 54 20 2f 63 6d 3f 70 69 64 3d 32 30 37 36 GET /cm?
pid=2076****
00000010 32 35 30 66 2d 39 32 63 32 2d 34 65 63 64 2d 39 250f-92c
2-4ecd-9****
00000020 30 34 33 2d 63 63 36 33 65 65 36 63 34 35 37 37 043-cc63
ee6c4577****
00000030 26 64 73 74 3d 68 74 74 70 25 33 41 25 32 46 25 &dst=htt
p%3A%2F%****
00000040 32 46 70 2e 72 66 69 68 75 62 2e 63 6f 6d 25 32 2Fp.rfih
ub.com%2****
00000050 46 63 6d 25 33 46 69 6e
Fcm%3Fin ****
00000058 5b 31 32 37 32 20 62 79 74 65 73 20 6d 69 73 73 [1272 by
tes miss****
00000068 69 6e 67 20 69 6e 20 63 61 70 74 75 72 65 20 66 ing in c
apture f****
00000078 69 6c 65 5d
ile]****
0000007C 61 74 68 65 72 2e 63 6f 6d 25 32 46 6d 61 6e 61 ather.com%2Fmana
****
0000008C 67 65 64 66 65 25 32 46 6d 61 6b 65 52 65 71 75 gedfe%2F
makeRequ****
0000009C 65 73 74 2d 6d 61 78 2e 68 74 6d 6c 25 33 46 70 est-max.
html%3Fp****
000000AC 6f 73 25 33 44 57 58 5f 54 6f 70 33 30 30 56 61 os%3DWX_
Top300Va****
000000BC 72 69 61 62 6c 65 26 70 66 3d 0d 0a 43 6f 6f 6b riable&p
f=..Cook****
000000CC 69 65 3a 20 69 3d 65 31
ie: i=e1 ****
00000000 48 54 54 50 2f 31 2e 31 20 33 30 32 20 4f 4b 0d
HTTP/1.1 302 OK.****
00000010 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 .Content
-Type: t****
00000020 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 ext/html
; charse****
00000030 74 3d 75 74 66 2d 38 0d 0a 50 33 50 3a 20 43 50 t=utf-8.
.P3P: CP****
00000040 3d 22 43 55 52 20 41 44 4d 20 4f 55 52 20 4e 4f ="CUR AD
M OUR NO****
00000050 52 20 53 54 41 20 4e 49
R STA NI ****
** **
** **
Here is the rule I put together:****
** **
** **
alert tcp any any -> any any (msg:"Zeroaccess variant"; content:"|72 66 69
68 75 62|" sid:1000001;)****
** **
** **
When feed the pcap into snort, It'll process it, but not alert. I've
tried changing the protocol from tcp to http, but snort chokes and tells me
"Bad Protocol: http"****
** **
I'm still very new at writing snort rules, so I apologize in advance for
any helpful details I've left out. I really appreciate any
assistance...thank you.****
** **
Dave****
------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
-- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden
------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with a signature Wilson, Dave (Sep 15)
- Re: Help with a signature Jamie Riden (Sep 15)
- Re: Help with a signature Alex Kirk (Sep 15)
- Re: Help with a signature Jamie (Sep 15)
- Re: Help with a signature Alex Kirk (Sep 15)
- Re: Help with a signature Jamie Riden (Sep 15)