Re: http_header not working

["Joel Esler (jesler)" <jesler () cisco com>]

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md

Try this.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Sep 26, 2014, at 10:45 AM, NIDS TEAM <nidsteam () gmail com> wrote:

- I was testing with www.brot.ch/de/sitemap.html<http://www.brot.ch/de/sitemap.html> thus the signature would check for 
the content "sitemap".
- The tool which is used: wget, elinks the following HTTP request hits snort:

   GET http://www.brot.ch/de/sitemap.html HTTP/1.1
   User-Agent: Wget/1.13.4 (linux-gnu)
   Accept: */*
   Host: www.brot.ch<http://www.brot.ch/>
   Connection: Close
   Proxy-Connection: Keep-Alive

- The "test" (resp. mail) string should be in the http_uri. But since it is not working with http_uri, I tried several 
other http_* modifiers and none of them worked:
   e.g.: content:"brot"; http_header;    when accessing www.brot.ch/de/sitemap.html<http://www.brot.ch/de/sitemap.html>
           content:"sitemap"; http_uri;     when accessing 
www.brot.ch/de/sitemap.html<http://www.brot.ch/de/sitemap.html>

I just repeated the test from above, with the same results and also did it with the following request:

   GET http://www.google.com/mail HTTP/1.1
   User-Agent: Wget/1.13.4 (linux-gnu)
   Accept: */*
   Host: www.google.com<http://www.google.com/>
   Connection: Close
   Proxy-Connection: Keep-Alive

The following payload triggered the alert this time:

   HTTP/1.1 301 Moved Permanently
   Location: https://mail.google.com/mail/
   Content-Type: text/html; charset=UTF-8
   X-Content-Type-Options: nosniff
   Date: Fri, 26 Sep 2014 14:12:18 GMT
   Expires: Sun, 26 Oct 2014 14:12:18 GMT
   Cache-Control: public, max-age=2592000
   Server: sffe
   Content-Length: 226
   X-XSS-Protection: 1; mode=block
   Alternate-Protocol: 80:quic,p=0.002
   X-Cache: MISS from prx-j225.open.ch<http://prx-j225.open.ch/>
   Via: 1.1 prx-j225.open.ch<http://prx-j225.open.ch/> (squid)
   Connection: keep-alive

   <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
   ...


This raises the assumption that hopefully I do not understand how http_uri and co work, or something is wrong here?
Shouldn't it also match HTTP requests?

Thanks
guido
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!