Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rule?

From: Frank Calone <fc10011001 () gmail com>
Date: Tue, 13 Aug 2013 18:08:59 -0400
Some lessons are learned the hard way!  I added the -k none and -P 65535.
This did not change the end result though.  I am still getting the stats to
show no alerts.

Frank

On Tue, Aug 13, 2013 at 5:53 PM, Joel Esler <jesler () sourcefire com> wrote:


Dear Frank,

First things first, try checking this out:

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md

--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

  On Aug 13, 2013, at 5:18 PM, Frank Calone <fc10011001 () gmail com> wrote:

  I’m trying to alert when I find this pattern within say the first 15
bytes of the file data of an http session.  My rule is not working and I
don’t know why.  I have a pcap file and am playing it back as follows:
snort –dvr  file1.pcap –c /etc/snort/snort.conf


The stats at the end show zero alerts.


Here is my rule:


 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"pcap file
hit"; flow:to_client,established; content:"Content-Type: text/html";
http_header; content:"|0d 0a|"; http_header; file_data; content:"|1f 2f|";
depth:15; flowbits:set,tagged; tag:session,0,packets,1000,seconds;
sid:3889999; rev:0;)


so, I am looking for hex “1f 2f” within the first 15 bytes of the file
data of the http session.


The pcap data has the following info:
64 69 6E 67 3A 20 63 68 75 6E 6B 65 64 0D 0A 43  ding: chunked..C
6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78  ontent-Type: tex
74 2F 68 74 6D 6C 0D 0A 0D 0A 52 50 30 30 1F 2F  t/html....RP00./
18 56 61 88 18 1B 18 20 20 1C 20 18 18 E7 E7 18  .Va.............

Frank

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.

http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: