Snort mailing list archives
Re: SOLVED - Trouble with HTTP status message rule
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 12 Mar 2015 23:04:44 +0000
Keep in mind from_server = to_client. On Mar 12, 2015, at 6:02 PM, Research <research () nativemethods com<mailto:research () nativemethods com>> wrote: On Mar 12, 2015, at 5:57 PM, Research <research () nativemethods com<mailto:research () nativemethods com>> wrote: Hello, I am currently writing a rather basic rule to track 404 resource not found instances in Snort on a web server. While I am aware that the logs for the web server process themselves track this, I’d like to generate a Snort rule that does the same for some testing. Currently my rule is: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \ (msg: "Web resource not found"; flow:established,to_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;) I have used the http_stat_code modifier for the content, but when I attempt to locate a non-existent resource: http://mywebserver.com/notthere …the rule does not fire. I was wondering what I am missing. Thanks Discovered what I was doing wrong. Should have been tracking this as a response *FROM* the server, not inbound traffic. The following rule solves the problem: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any \ (msg: "Web resource not found"; flow:established,from_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;) ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Trouble with HTTP status message rule Research (Mar 12)
- SOLVED - Trouble with HTTP status message rule Research (Mar 12)
- Re: SOLVED - Trouble with HTTP status message rule Joel Esler (jesler) (Mar 12)
- Re: SOLVED - Trouble with HTTP status message rule Research (Mar 12)
- Re: SOLVED - Trouble with HTTP status message rule Joel Esler (jesler) (Mar 12)
- Re: Trouble with HTTP status message rule lists () packetmail net (Mar 12)
- Re: Trouble with HTTP status message rule Rodrigo Montoro(Sp0oKeR) (Mar 12)
- SOLVED - Trouble with HTTP status message rule Research (Mar 12)