Re: Rules with options like http_uri of flow

[Onno van der Leun <onno () b00z nl>]

Hi Nick,

Do you know any good (current) information about the rules with options
explained? Because all doc's I'd find where not clear enough (almost no
information or to general) or outdated.

About the flow option not working, that part is due to some strange
behaviour of the port mirror.

Regards,
Onno.

On di, 2013-12-17 at 21:54 +0000, Nicholas Mavis (nmavis) wrote:
> Onno,
>
> The http_uri option will not work with the content match you've created as
> GET is not within the http_uri buffer. The HTTP method would be in the
> http_method buffer. As for flow established, how are you testing this
> rule? Is there a full tcp handshake seen before the GET request? I was
> able to get this rule to alert with both options, here is the rule I
> created:
>
> alert tcp any any -> any $HTTP_PORTS (msg:"WEBSERVER - test rule
> blaat.txt"; flow:to_server,established; content:"/blaat.txt"; nocase;
> http_uri; metadata:service http; classtype:web-application-attack;
> sid:1000100; rev:18;)
>
> -Nick Mavis



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!