Snort mailing list archives

Re: URI content not being identified

From: Jelte <masterjel5000 () hotmail com>
Date: Thu, 8 May 2014 19:27:01 +0200

You said:

/Changing the "content:" to "uricontent" or "http_uri" should not work. 
The "content" keyword allows you to search for a string pattern, in your
case "/test.php". Content modifiers on the other hand apply to your
content. So to have your rule corrected try something like://
//content:"/test.php"; http_uri;/

I am aware that I should place /http_uri; /separate from the content
specification, but this doesn't work. Also I see no reason why replacing
"content" with "uricontent" should not work, because as the official
Snort documentation says: "This is equivalent to using the http_uri
modifier to a content keyword." (refer to
http://manual.snort.org/node385.html).

You also said:

/I would also add flow direction in the rule: flow:to_server,
established for example, depending on the direction of the traffic
(3-way handshake)./

I agree that this is a preferable addition in order to fine-tune the
rule, but adding this makes no difference when I have
/'//content:"/test.php"; http_uri;/' in my rule, i.e. it still does not
trigger an alert. This also seems logical because it only applies an
additional filter.

Nonetheless, thanks for your suggestions! I still hope someone is able
to help me with this :-)

Y M schreef op 5/8/2014 6:06 PM:

Date: Thu, 8 May 2014 17:44:34 +0200
From: masterjel5000 () hotmail com
To: snort-users () lists sourceforge net
Subject: [Snort-users] URI content not being identified

Hello all,

I have the following Snort rule:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "HTTP content test";
content: "test.php"; classtype:web-application-attack; sid:5000001; rev:1;)

Now when I visit mysite.com/test.php an alert is correctly generated.
However, as soon as I change "content" to "uricontent", or add
"http_uri;" before the "classtype", no alert is generated. I analyzed
the traffic using tshark and I can see requests to "test.php" coming
through. Do you know any step I could take that may help to identify
what is causing this?

Changing the "content:" to "uricontent" or "http_uri" should not work.  The "content" keyword allows you to search 
for a string pattern, in your case "/test.php". Content modifiers on the other hand apply to your content. So to have 
your rule corrected try something like:
content:"/test.php"; http_uri;
I would also add flow direction in the rule: flow:to_server, established for example, depending on the direction of 
the traffic (3-way handshake).

Thanks!

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

URI content not being identified Jelte (May 08)
- Re: URI content not being identified Y M (May 08)
  - Re: URI content not being identified Jelte (May 08)
    - Re: URI content not being identified Y M (May 08)
    - Re: URI content not being identified Jelte (May 09)
    - Message not available
    - Re: URI content not being identified Jelte (May 09)
    - Message not available
    - Message not available
    - Re: URI content not being identified Jelte (May 09)
    - Re: URI content not being identified Joel Esler (jesler) (May 12)
    - Re: URI content not being identified Jelte (May 12)