Snort mailing list archives

Re: Snort not generating alert

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 30 Nov 2015 12:38:36 +0000

Great!

You may still want to change the rule to use one of the http rule keywords so that ONLY the http header is searched for 
the status code/http response.

Either way the choice is yours.

Cheers!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Qasim Javed [mailto:qasim.javed () ebryx com]
Sent: Monday, November 30, 2015 3:08 AM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net; Fahim Abbasi
Subject: Re: [Snort-users] Snort not generating alert

Hi,
     I read your snort configuration file and made a little change from config paf_max: 16000  to config paf_max: 63780 
in snort.conf and my rule started to work.I think, there is no need to change anything other than that.



Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan

[http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000]

On 30 November 2015 at 11:28, Qasim Javed <qasim.javed () ebryx com<mailto:qasim.javed () ebryx com>> wrote:
Thanks for your support.You made my day,it worked!



Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan

[http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000]

On 30 November 2015 at 02:44, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Hello,

Attached are the conf, pcap and log. I chose to use the http_stat_code with a value of ‘200’ in your rule since you 
were looking for the server response I code.

alert tcp any any -> any any (sid:100015; rev:1; msg:"both contents found"; flow:to_client,established;content:"200"; 
http_stat_code; content:"prevDays=new Arr"; nocase;)


Command I used:
./bin/snort -c etc/JAVED.conf -r etc/JAVED.pcap -Acmg -H -U -k none -q



06/16-18:20:10.416489  [**] [1:100015:1] both contents found [**] [Priority: 0] {TCP} 
63.116.243.97:80<http://63.116.243.97:80> -> 192.168.1.3:58816<http://192.168.1.3:58816>
Stream reassembled packet
06/16-18:20:10.416489 00:26:62:2F:47:87 -> 00:1D:60:B3:01:84 type:0x800 len:0x5F88
63.116.243.97:80<http://63.116.243.97:80> -> 192.168.1.3:58816<http://192.168.1.3:58816> TCP TTL:64 TOS:0x0 ID:43234 
IpLen:20 DgmLen:24442 DF
***A**** Seq: 0xA3C480A0  Ack: 0xE5943F77  Win: 0xAA00  TcpLen: 32
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A  .Content-Length:
20 32 33 38 35 38 0D 0A 43 6F 6E 74 65 6E 74 2D   23858..Content-
54 79 70 65 3A 20 74 65 78 74 2F 6A 61 76 61 73  Type: text/javas
63 72 69 70 74 0D 0A 4C 61 73 74 2D 4D 6F 64 69  cript..Last-Modi
66 69 65 64 3A 20 57 65 64 2C 20 31 36 20 4A 75  fied: Wed, 16 Ju
6E 20 32 30 31 30 20 31 37 3A 32 35 3A 31 34 20  n 2010 17:25:14
47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67  GMT..Accept-Rang
65 73 3A 20 62 79 74 65 73 0D 0A 45 54 61 67 3A  es: bytes..ETag:
20 22 30 37 39 37 35 65 31 37 38 64 63 62 31 3A   "07975e178dcb1:
35 33 33 33 22 0D 0A 53 65 72 76 65 72 3A 20 4D  5333"..Server: M
69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 36 2E 30  icrosoft-IIS/6.0


See here in the manual about the http_stat_code keyword: 
http://manual.snort.org/node32.html#SECTION004519000000000000000



You should also be able to use the ‘http_header’ option as YM mentions below.



Hope this helps!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112<tel:443.430.7112>
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Y M [mailto:snort () outlook com<mailto:snort () outlook com>]
Sent: Saturday, November 28, 2015 7:44 AM
To: Qasim Javed
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort not generating alert

I have looked at your files, but you may want to consider "flow" and "http_header" keywords in the rule posted. Try 
these and see if they help.
Sent from Mobile

_____________________________
From: Qasim Javed <qasim.javed () ebryx com<mailto:qasim.javed () ebryx com>>
Sent: Friday, November 27, 2015 10:32 AM
Subject: [Snort-users] Snort not generating alert
To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Hi,
     I am using ubuntu 14.04 LTS and have some problems while detecting some strings in payload of pcap. Actually the 
problem is that when i hit the pcap with snort rules file named r1.rules then no alerts are generated.Assuming that 
pcap,rules file are in same directory and snort.config is in /etc/snort/snort.conf and i have enabled TCP reassembly.

  *   Command1 executed :    sudo snort -c /etc/snort/snort.conf -A console -q -l /tmp -r "TCP_SACK.pcap" -k none
  *   Rule which should trigger:  alert tcp any any -> any any (sid:100014; rev:1; msg:"both contents found"; 
content:"HTTP/1.1 200 OK"; nocase;  content:"prevDays=new Arr";    nocase;)
  *   Output1 :  no alert generated



  *    Command2 executed :   sudo snort -c /etc/snort/snort.conf -A cmg -q -l /tmp -r "TCP_SACK.pcap" -k none
  *   Output2 : This command generates http-response stream and it has both contents which are in rule to be matched 
and it should generate alert but snort is not generating alert while both contents are present in output stream 
generated using switch  -A cmg instead of -A console.

         I have attached response file named "r1_response.txt"(i.e. output generated while executing command2) , 
snort.conf, r1.rules,

        TCP_SACK.pcap (pcap to be hitted. Please resolve the issue and let me know the solution.


Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan

[http://www.4shared.com/download/-tF2ZFJNce/ebryxLogo.jpg?lgfp=3000]

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort not generating alert Qasim Javed (Nov 26)
- Re: Snort not generating alert Y M (Nov 28)
  - Re: Snort not generating alert Y M (Nov 28)
  - Re: Snort not generating alert Al Lewis (allewi) (Nov 29)
    - Re: Snort not generating alert Qasim Javed (Nov 29)
    - Re: Snort not generating alert Qasim Javed (Nov 30)
    - Re: Snort not generating alert Al Lewis (allewi) (Nov 30)
    - Re: Snort not generating alert Qasim Javed (Nov 30)