Snort mailing list archives

Re: Rules with options like http_uri of flow

From: rmkml <rmkml () yahoo fr>
Date: Tue, 17 Dec 2013 22:11:41 +0100 (CET)

Hi Onno,

Could you check when disable cksum verification please ? (-k none)

Regards
@Rmkml



On Tue, 17 Dec 2013, onno () b00z nl wrote:

Hi,

I've some, at least for me, weird behaviour with snort rules. I already
reinstalled every thing 3 times, but still haven't it to work.
The sensor is passive and connected to a switch monitor port. I'm testing
the setup for monitoring both in- and outbound traffic, so I configured
both HOME_NET and EXTERNAL_NET with any.

While I was testing, I discovered that I was unable to fire some rules. So
I created the following test rules:

This one is working when requesting an URL like http://<hostname>/blaat.txt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEBSERVER -
test rule blaat.txt"; content:"GET /blaat.txt"; nocase; metadata:ruleset
community, service http; classtype:web-application-attack; sid:1002;
rev:18;)

This rule is derived from an existing one. But the modified existing one
has also the following options:
flow:to_server,established; and/or http_uri;
But as soon as I add one of those options, the rule won't fire. And
because of that I think that there might be something wrong with my setup
and that it won't hit on other rules also.

This is an example of a rule that won't fire:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEBSERVER -
test rule blaat.txt"; flow:to_server,established; content:"GET
/blaat.txt"; nocase; metadata:ruleset community, service http;
classtype:web-application-attack; sid:1002; rev:18;)

Even without the flow option and with http_uri, it does not work.

Any insight would be great.
Thanks!
Onno.



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Rules with options like http_uri of flow onno (Dec 17)
- Re: Rules with options like http_uri of flow rmkml (Dec 17)
  - Re: Rules with options like http_uri of flow Nicholas Mavis (Dec 17)
- <Possible follow-ups>
- Re: Rules with options like http_uri of flow Onno van der Leun (Dec 18)
  - Re: Rules with options like http_uri of flow Joel Esler (jesler) (Dec 18)
    - Re: Rules with options like http_uri of flow Onno van der Leun (Dec 18)