Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_header not working

From: NIDS TEAM <nidsteam () gmail com>
Date: Fri, 26 Sep 2014 16:45:08 +0200
- I was testing with www.brot.ch/de/sitemap.html thus the signature would
check for the content "sitemap".
- The tool which is used: wget, elinks the following HTTP request hits
snort:

   GET http://www.brot.ch/de/sitemap.html HTTP/1.1
   User-Agent: Wget/1.13.4 (linux-gnu)
   Accept: */*
   Host: www.brot.ch
   Connection: Close
   Proxy-Connection: Keep-Alive

- The "test" (resp. mail) string should be in the http_uri. But since it is
not working with http_uri, I tried several other http_* modifiers and none
of them worked:
   e.g.: content:"brot"; http_header;    when accessing
www.brot.ch/de/sitemap.html
           content:"sitemap"; http_uri;     when accessing
www.brot.ch/de/sitemap.html

I just repeated the test from above, with the same results and also did it
with the following request:

   GET http://www.google.com/mail HTTP/1.1
   User-Agent: Wget/1.13.4 (linux-gnu)
   Accept: */*
   Host: www.google.com
   Connection: Close
   Proxy-Connection: Keep-Alive

The following payload triggered the alert this time:

   HTTP/1.1 301 Moved Permanently
   Location: https://mail.google.com/mail/
   Content-Type: text/html; charset=UTF-8
   X-Content-Type-Options: nosniff
   Date: Fri, 26 Sep 2014 14:12:18 GMT
   Expires: Sun, 26 Oct 2014 14:12:18 GMT
   Cache-Control: public, max-age=2592000
   Server: sffe
   Content-Length: 226
   X-XSS-Protection: 1; mode=block
   Alternate-Protocol: 80:quic,p=0.002
   X-Cache: MISS from prx-j225.open.ch
   Via: 1.1 prx-j225.open.ch (squid)
   Connection: keep-alive

   <HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
   ...


This raises the assumption that hopefully I do not understand how http_uri
and co work, or something is wrong here?
Shouldn't it also match HTTP requests?

Thanks
guido

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: