Snort mailing list archives
Re: Rules across tcp headers & http headers/payload
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 04 Mar 2013 13:01:04 -0500
On 3/4/2013 05:50, Andy Richards wrote:
Hi, Im new to snort and a trying to evaluate if i can write a custom snort rule which can filter/match across top headers and http headers/payload. I understand that the Stream5 pre processor is probably the way I need to go however from the documentation I can't fathom out if i can match across tcp/http packets types? For example in my rule I will like to identify if an individual (I'm assuming I can use source ip and port for this?) is sending/receiving the following packet scenario; 1) a tcp syn sent to the client followed by... 2) a http POST from the client to certain URL for example "POST /someurl" followed by... 3) a http payload to the client for example beginning with "HTTP/1.1 200 OK..." followed by... 4) a tcp fin to the client As you can see my example spans across tcp headers and http headers/payload in both directions. Is this mix/combination of tcp& http inspect possible with Snort rules?
if the connection traffic all takes place in the same session, you might be able to do this... you'll need to look at checking and setting flowbits... i've done something similar but it doesn't work as desired when the traffic is in different sessions... at that time, flowbits were not working across sessions... they may now in the 2.9 series of snort... ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rules across tcp headers & http headers/payload Andy Richards (Mar 04)
- Re: Rules across tcp headers & http headers/payload waldo kitty (Mar 04)
- Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 04)
- Re: Rules across tcp headers & http headers/payload Andy Richards (Mar 05)
- Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 05)
- Re: Rules across tcp headers & http headers/payload Andy Richards (Mar 05)