Re: Rules with options like http_uri of flow

[Nicholas Mavis <nmavis () sourcefire com>]

Onno,

The http_uri option will not work with the content match you've
created as GET is not within the http_uri buffer. The HTTP method
would be in the http_method buffer. As for flow established, how are
you testing this rule? Is there a full tcp handshake seen before the
GET request? I was able to get this rule to alert with both options,
here is the rule I created:

alert tcp any any -> any $HTTP_PORTS (msg:"WEBSERVER - test rule
blaat.txt"; flow:to_server,established; content:"/blaat.txt"; nocase;
http_uri; metadata:service http; classtype:web-application-attack;
sid:1000100; rev:18;)

-Nick Mavis

On Tue, Dec 17, 2013 at 4:11 PM, rmkml <rmkml () yahoo fr> wrote:
> Hi Onno,
>
> Could you check when disable cksum verification please ? (-k none)
>
> Regards
> @Rmkml
>
>
>
> On Tue, 17 Dec 2013, onno () b00z nl wrote:
>
> > Hi,
> >
> > I've some, at least for me, weird behaviour with snort rules. I already
> > reinstalled every thing 3 times, but still haven't it to work.
> > The sensor is passive and connected to a switch monitor port. I'm testing
> > the setup for monitoring both in- and outbound traffic, so I configured
> > both HOME_NET and EXTERNAL_NET with any.
> >
> > While I was testing, I discovered that I was unable to fire some rules. So
> > I created the following test rules:
> >
> > This one is working when requesting an URL like http://<hostname>/blaat.txt
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEBSERVER -
> > test rule blaat.txt"; content:"GET /blaat.txt"; nocase; metadata:ruleset
> > community, service http; classtype:web-application-attack; sid:1002;
> > rev:18;)
> >
> > This rule is derived from an existing one. But the modified existing one
> > has also the following options:
> > flow:to_server,established; and/or http_uri;
> > But as soon as I add one of those options, the rule won't fire. And
> > because of that I think that there might be something wrong with my setup
> > and that it won't hit on other rules also.
> >
> > This is an example of a rule that won't fire:
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEBSERVER -
> > test rule blaat.txt"; flow:to_server,established; content:"GET
> > /blaat.txt"; nocase; metadata:ruleset community, service http;
> > classtype:web-application-attack; sid:1002; rev:18;)
> >
> > Even without the flow option and with http_uri, it does not work.
> >
> > Any insight would be great.
> > Thanks!
> > Onno.
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!