Snort mailing list archives

Re: Can't generate alerts on HTTP GET attacks

From: rmkml <rmkml () yahoo fr>
Date: Wed, 2 Jul 2014 22:38:29 +0200 (CEST)

Welcome Sabawoon and Thx Ryan and YM,

Don't forget:
-only for testing, disable cksum verification (-k none)
-check var $EXTERNAL_NET $HTTP_SERVERS $HTTP_PORTS
-record network traffic if you need and check/replay
-simply your test with only one test and check snort stats http preproc verbose output
-check if snort not warn for http broken for example
-if not work, simplify your sig and test again... (it's work with simply /index.php ?)
-snort "normalize" http_uri: don't use %3A, use :
-and special normalize %2F%2F: use only one /
-remove extra space on ending http_uri
-if not work please post snort version + conf + verbose output + pcap please

Best Regards
@Rmkml



On Wed, 2 Jul 2014, Y M wrote:

If you are looking for a rule covering bugtraq,10129 in general, there is a rule written already for that and should be 
in the community ruleset with sid:2588. If this is not what you are looking for then signatures
specific to your case need to be written. However, it is not clear from the description you provided. Are those GET 
requests targeted to web servers run by you or by your friend? Depending on the direction, this may
help:
alert tcp $EXTERNAL_NET -> $HOME_NET 80 (msg:"some message here"; flow:to_server, established; content:"/index.php?"; http_uri; 
content:"keywords=http"; http_uri; metadata: service http;
classtype:web-application-activity; sid:xxx; rev:1;)

alert tcp $EXTERNAL_NET -> $HOME_NET 80 (msg:"some message here"; flow:to_server, established; content:"/index.php?"; http_uri; 
content:"vid=http"; http_uri; metadata: service http; classtype:web-application-activity;
sid:xxx; rev:1;)

There is room for enhancement by adding "depth" and "distance" modifiers to the above rules, but without pcaps, it 
would be difficult to test. Also, you can combine both of these in one rule with little modifications and
pcre. I see in your rule a content of "id=", where this is coming from?

Also, is the path "/webcomm/masonVideos/index.php" static?

YM

____________________________________________________________________________________________________________________________________________________________________________________________________________________________
Date: Wed, 2 Jul 2014 15:34:17 -0400
From: sabawoon.majeedzada () gmail com
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Can't generate alerts on HTTP GET attacks

Hi everyone, I would appreciate if someone can help me please. I am a new b.
I have to generate alerts runing pcap files that contains HTTP GET attacks(Might be a different level of attak)

Provded examples after my buddy's request. i have copied these from csv file. Sorry for the format. I have pcap files full 
of these attacks. But can't figure out a snort rule to generate alerts while running these
packets.

This is my snort rule.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"some kind of get attack attempt"; flow:to_server,established; 
content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F "; http_uri; content:"id=";
meta; metadata:service http; reference:bugtraq,10129; classtype:web-application-activity; sid:2588001; rev:8;)

These are the attacks I got it from my csv file but they are also in pcap format. I have a lot of these kinds of attacks 
stored in pcap filesbut can't generate alerts when I run snort on pcap files. 

2010-Oct-07 03:19:14.760262     someip  53181   >       someip    80      websiteurl      
/webcomm/myvidoesVideos/index.php?vid=http://www.vimeo.com/moogaloop.swf?clip_id=1140523/
 vid=http://www.vimeo.com/moogaloop.swf?clip_id=/ 


2010-Oct-07 01:18:50.635566 some ip 57991 > some ip 80 urofwebsite /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F 
keywords=http://revftdrcghjw.com/ HTTP/1.1

2010-Oct-07 01:18:51.615340 some ip 50523 > some ip 80 ureofwebsite 
/index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=http:revftdrcghjw.com/

2010-Oct-07 01:42:00.631679 someip 34237 > someip 80 urlofwebsite 
/webcomm/masonVideos/index.php?vid=http:/www.vimeo.com/moogaloop.swf?clip_id=1140523/ 
vid=http:/www.vimeo.com/moogaloop.swf?clip_id=/ HTTP/1.1

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Can't generate alerts on HTTP GET attacks Sabawoon Mageedzada (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Ryan (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Y M (Jul 02)
  - Re: Can't generate alerts on HTTP GET attacks rmkml (Jul 02)
- <Possible follow-ups>
- Re: Can't generate alerts on HTTP GET attacks Simon Wesseldine (Jul 03)
- Re: Can't generate alerts on HTTP GET attacks Nicholas Mavis (nmavis) (Jul 08)