Snort mailing list archives
Re: Help with a signature
From: Jamie Riden <jamie.riden () gmail com>
Date: Sat, 15 Sep 2012 15:22:43 +0100
Not exactly sure why this didn't match, but you should try uricontent instead of content - it's normalised by the http_preprocessor. I believe there are some bleeding edge rules which match on =http if you want to compare - it's a more general RFI signature. cheers, Jamie On 14 September 2012 14:06, Wilson, Dave <Dave.Wilson () wwt com> wrote:
Hello,**** ** ** I'm trying to create a snort rule that will alert on traffic that contains "rfihub" as part of the url. Here is an example of the TCP stream of a packet that I'd want to alert on.**** ** ** 00000000 47 45 54 20 2f 63 6d 3f 70 69 64 3d 32 30 37 36 GET /cm? pid=2076**** 00000010 32 35 30 66 2d 39 32 63 32 2d 34 65 63 64 2d 39 250f-92c 2-4ecd-9**** 00000020 30 34 33 2d 63 63 36 33 65 65 36 63 34 35 37 37 043-cc63 ee6c4577**** 00000030 26 64 73 74 3d 68 74 74 70 25 33 41 25 32 46 25 &dst=htt p%3A%2F%**** 00000040 32 46 70 2e 72 66 69 68 75 62 2e 63 6f 6d 25 32 2Fp.rfih ub.com%2**** 00000050 46 63 6d 25 33 46 69 6e Fcm%3Fin **** 00000058 5b 31 32 37 32 20 62 79 74 65 73 20 6d 69 73 73 [1272 by tes miss**** 00000068 69 6e 67 20 69 6e 20 63 61 70 74 75 72 65 20 66 ing in c apture f**** 00000078 69 6c 65 5d ile]**** 0000007C 61 74 68 65 72 2e 63 6f 6d 25 32 46 6d 61 6e 61 ather.com%2Fmana **** 0000008C 67 65 64 66 65 25 32 46 6d 61 6b 65 52 65 71 75 gedfe%2F makeRequ**** 0000009C 65 73 74 2d 6d 61 78 2e 68 74 6d 6c 25 33 46 70 est-max. html%3Fp**** 000000AC 6f 73 25 33 44 57 58 5f 54 6f 70 33 30 30 56 61 os%3DWX_ Top300Va**** 000000BC 72 69 61 62 6c 65 26 70 66 3d 0d 0a 43 6f 6f 6b riable&p f=..Cook**** 000000CC 69 65 3a 20 69 3d 65 31 ie: i=e1 **** 00000000 48 54 54 50 2f 31 2e 31 20 33 30 32 20 4f 4b 0d HTTP/1.1 302 OK.**** 00000010 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 .Content -Type: t**** 00000020 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 ext/html ; charse**** 00000030 74 3d 75 74 66 2d 38 0d 0a 50 33 50 3a 20 43 50 t=utf-8. .P3P: CP**** 00000040 3d 22 43 55 52 20 41 44 4d 20 4f 55 52 20 4e 4f ="CUR AD M OUR NO**** 00000050 52 20 53 54 41 20 4e 49 R STA NI **** ** ** ** ** Here is the rule I put together:**** ** ** ** ** alert tcp any any -> any any (msg:"Zeroaccess variant"; content:"|72 66 69 68 75 62|" sid:1000001;)**** ** ** ** ** When feed the pcap into snort, It'll process it, but not alert. I've tried changing the protocol from tcp to http, but snort chokes and tells me "Bad Protocol: http"**** ** ** I'm still very new at writing snort rules, so I apologize in advance for any helpful details I've left out. I really appreciate any assistance...thank you.**** ** ** Dave**** ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden
------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with a signature Wilson, Dave (Sep 15)
- Re: Help with a signature Jamie Riden (Sep 15)
- Re: Help with a signature Alex Kirk (Sep 15)
- Re: Help with a signature Jamie (Sep 15)
- Re: Help with a signature Alex Kirk (Sep 15)
- Re: Help with a signature Jamie Riden (Sep 15)