Snort mailing list archives

Re: SOLVED - Trouble with HTTP status message rule

From: Research <research () nativemethods com>
Date: Thu, 12 Mar 2015 22:58:37 -0400


On Mar 12, 2015, at 7:04 PM, Joel Esler (jesler) <jesler () cisco com> wrote:

Keep in mind from_server = to_client.

On Mar 12, 2015, at 6:02 PM, Research <research () nativemethods com> wrote:


On Mar 12, 2015, at 5:57 PM, Research <research () nativemethods com> wrote:

Hello,

I am currently writing a rather basic rule to track 404 resource not found instances in Snort on a web server.  
While I am aware that the logs for the web server process themselves track this, I’d like to generate a Snort rule 
that does the same for some testing.

Currently my rule is:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
        
(msg: "Web resource not found"; flow:established,to_server; content:"404"; http_stat_code; priority:4; sid:2000110; 
rev:001;)

I have used the http_stat_code modifier for the content, but when I attempt to locate a non-existent resource:

http://mywebserver.com/notthere

…the rule does not fire.

I was wondering what I am missing.

Thanks


Discovered what I was doing wrong.  Should have been tracking this as a response *FROM* the server, not inbound 
traffic.

The following rule solves the problem:

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any \
        
(msg: "Web resource not found"; flow:established,from_server; content:"404"; http_stat_code; priority:4; 
sid:2000110; rev:001;)



Good point!

With the rule I also swapped the direction after the protocol:

        alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any \ (snip)

…instead of incoming traffic:

                alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \ (snip)

…and now the rule fires.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Trouble with HTTP status message rule Research (Mar 12)
- SOLVED - Trouble with HTTP status message rule Research (Mar 12)
  - Re: SOLVED - Trouble with HTTP status message rule Joel Esler (jesler) (Mar 12)
    - Re: SOLVED - Trouble with HTTP status message rule Research (Mar 12)
- Re: Trouble with HTTP status message rule lists () packetmail net (Mar 12)
- Re: Trouble with HTTP status message rule Rodrigo Montoro(Sp0oKeR) (Mar 12)