Re: Rules across tcp headers & http headers/payload

[waldo kitty <wkitty42 () windstream net>]

On 3/4/2013 05:50, Andy Richards wrote:
> Hi,
>
> Im new to snort and a trying to evaluate if i can write a custom snort rule which can filter/match across top headers 
> and http headers/payload.
>
> I understand that the Stream5 pre processor is probably the way I need to go however from the documentation I can't 
> fathom out if i can  match across tcp/http packets types? For example in my rule I will like to identify if an 
> individual (I'm assuming I can use source ip and port for this?) is sending/receiving the following packet scenario;
>
> 1) a tcp syn sent to the client followed by...
> 2) a http POST from the client to certain URL for example "POST /someurl" followed by...
> 3) a http payload to the client for example beginning with "HTTP/1.1 200 OK..." followed by...
> 4) a tcp fin to the client
>
> As you can see my example spans across tcp headers and http headers/payload in both directions.
>
> Is this mix/combination of tcp&  http inspect possible with Snort rules?

if the connection traffic all takes place in the same session, you might be able 
to do this... you'll need to look at checking and setting flowbits...

i've done something similar but it doesn't work as desired when the traffic is 
in different sessions... at that time, flowbits were not working across 
sessions... they may now in the 2.9 series of snort...


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!