Re: Rules with options like http_uri of flow

[Onno van der Leun <onno () b00z nl>]

Hi Joel,

You're right. Hadn't noticed those pages yet but found them also just
yet. But thanks for the headsup.

Regards,
Onno.

PS:
@rmkml @Nick
The problem with the rules with option flow are solved. Because of some
unforeseen reasons the switch was mirroring untagged packets exiting the
uplink port with a tag. eg. switchport was configured as untagged
VLAN_X, so I expected the packets would be mirrored just plain to the
mirror port. But the switch added the tag X to the packets during
mirror. That is why snort never could match the flows. So I just put
another brand switch in between and created the mirror on that switch.
Now it works as expected. (at least: as expected by me ;o) )

Thanks for all the insights guys!

On wo, 2013-12-18 at 15:19 +0000, Joel Esler (jesler) wrote:
> Have you tried www.snort.org/docs or manual.snort.org? 
>
>
> --
> Joel Esler
> Intelligence Lead
> Open Source Manager
> Vulnerability Research Team
> Jabber: jesler () cisco com
>
> On Dec 18, 2013, at 3:20 AM, Onno van der Leun <onno () b00z nl> wrote:
>
> > Hi Nick,
> >
> > Do you know any good (current) information about the rules with
> > options
> > explained? Because all doc's I'd find where not clear enough (almost
> > no
> > information or to general) or outdated.
> >
> > About the flow option not working, that part is due to some strange
> > behaviour of the port mirror.
> >
> > Regards,
> > Onno.
> >
> > On di, 2013-12-17 at 21:54 +0000, Nicholas Mavis (nmavis) wrote:
> > > Onno,
> > >
> > > The http_uri option will not work with the content match you've
> > > created as
> > > GET is not within the http_uri buffer. The HTTP method would be in
> > > the
> > > http_method buffer. As for flow established, how are you testing
> > > this
> > > rule? Is there a full tcp handshake seen before the GET request? I
> > > was
> > > able to get this rule to alert with both options, here is the rule
> > > I
> > > created:
> > >
> > > alert tcp any any -> any $HTTP_PORTS (msg:"WEBSERVER - test rule
> > > blaat.txt"; flow:to_server,established; content:"/blaat.txt";
> > > nocase;
> > > http_uri; metadata:service http; classtype:web-application-attack;
> > > sid:1000100; rev:18;)
> > >
> > > -Nick Mavis
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Rapidly troubleshoot problems before they affect your business. Most
> > IT 
> > organizations don't have a clear picture of how application
> > performance 
> > affects their revenue. With AppDynamics, you get 100% visibility
> > into your 
> > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> > AppDynamics Pro!
> > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!