Snort mailing list archives
Re: "http_client_body" rule not working
From: rmkml <rmkml () yahoo fr>
Date: Fri, 27 Jul 2012 00:52:31 +0200 (CEST)
Hi Shaiming, Can you try with wget or curl cmd line please? like http post: wget --post-data="world" http://<target_host>:80/hello On your example, you have missed ending your web request by "HTTP/1.0" or "HTTP/1.1"... Regards Rmkml On Thu, 26 Jul 2012, Shaiming Hsiung wrote:
Hello,
I am attempting to write rules to filter http requests.
I have been able to write rules that filter packets by the content
of the http request header (using "uricontent" or "http_uri"), but
rules matching the content of the http request body are not working.
I've tested it under Snort versions 2.9.2 and 2.9.3.
** Minimal snort.conf
preprocessor stream5_global: track_tcp yes track_udp yes
preprocessor stream5_tcp: policy bsd, timeout 86400, ports all
preprocessor stream5_udp: timeout 86400
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 }
drop tcp any any -> any any (sid:1234567; msg:"test1";
content:"world"; http_client_body;)
** Command line to start snort
$ snort -dev --daq ipq -Q
** Command line to test it
$ echo world | POST http://<target_host>:80/hello
**
Unfortunately, Snort is not dropping the request.
There does not seem to be any other issue
(e.g. the traffic is indeed going through Snort and
the TCP packets are not being fragmented).
Also, as I stated before, http_uri is working correctly.
If I change the rule to:
drop tcp any any -> any any (sid:1234567; msg:"test1";
content:"hello"; http_uri;)
Snort does drop the request.
I hope you can find an explanation or point out my
mistake.
Thanks in advance for your help,
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- "http_client_body" rule not working Shaiming Hsiung (Jul 26)
- Re: "http_client_body" rule not working rmkml (Jul 26)
- Re: "http_client_body" rule not working Shaiming Hsiung (Jul 27)
- Re: "http_client_body" rule not working rmkml (Jul 27)
- Re: "http_client_body" rule not working Shaiming Hsiung (Aug 01)
- Re: "http_client_body" rule not working Shaiming Hsiung (Jul 27)
- Re: "http_client_body" rule not working rmkml (Jul 26)