Snort mailing list archives

Re: Can't generate alerts on HTTP GET attacks

From: Ryan <ryan () organizedvillainy com>
Date: Wed, 02 Jul 2014 14:42:23 -0500

You have a double slash (//) at the beginning of your content match
filter.  "//index.php?" vs "/index.php?"

Also, you could add:
content:"GET"; http_method;

-Ryan!

On 7/2/14 2:34 PM, Sabawoon Mageedzada wrote:

Hi everyone, I would appreciate if someone can help me please. I am a
new b.

I have to generate alerts runing pcap files that contains HTTP GET
attacks(Might be a different level of attak)

Provded examples after my buddy's request. i have copied these from
csv file. Sorry for the format. I have pcap files full of these
attacks. But can't figure out a snort rule to generate alerts while
running these packets.

*This is my snort rule.*

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"some
kind of get attack attempt"; flow:to_server,established;
content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F ";
http_uri; content:"id="; meta; metadata:service http;
reference:bugtraq,10129; classtype:web-application-activity;
sid:2588001; rev:8;)

*These are the attacks I got it from my csv file but they are also in
pcap format. I have a lot of these kinds of attacks stored in pcap
filesbut can't generate alerts when I run snort on pcap files. *

*2010-Oct-07 03:19:14.760262     someip  53181   >       someip    80
     websiteurl    
 /webcomm/myvidoesVideos/index.php?vid=http://www.vimeo.com/moogaloop.swf?clip_id=1140523/
 **vid=http://www.vimeo.com/moogaloop.swf?clip_id=/ *

*
*

2010-Oct-07 01:18:50.635566 some ip 57991 > some ip 80 urofwebsite
/index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F
keywords=http://revftdrcghjw.com/ HTTP/1.1

2010-Oct-07 01:18:51.615340 some ip 50523 > some ip 80 ureofwebsite
/index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F
keywords=http:revftdrcghjw.com/ <http://revftdrcghjw.com/>

2010-Oct-07 01:42:00.631679 someip 34237 > someip 80 urlofwebsite
/webcomm/masonVideos/index.php?vid=http:/www.vimeo.com/moogaloop.swf?clip_id=1140523/
<http://www.vimeo.com/moogaloop.swf?clip_id=1140523/>
vid=http:/www.vimeo.com/moogaloop.swf?clip_id=/
<http://www.vimeo.com/moogaloop.swf?clip_id=/> HTTP/1.1



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Can't generate alerts on HTTP GET attacks Sabawoon Mageedzada (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Ryan (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Y M (Jul 02)
  - Re: Can't generate alerts on HTTP GET attacks rmkml (Jul 02)
- <Possible follow-ups>
- Re: Can't generate alerts on HTTP GET attacks Simon Wesseldine (Jul 03)
- Re: Can't generate alerts on HTTP GET attacks Nicholas Mavis (nmavis) (Jul 08)