Re: Content Rule problem

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

Try this (conf and pcap are attached). The content is matched in the file transferred and in the request.


[alewis@localhost snort-2.9.9.0-released]$ ./bin/snort -c etc/ledi.conf -r etc/ledi.pcap -Acmg -k none -q
09/17-09:12:45.312281  [**] [1:1000001:0] Keyword found [**] [Priority: 1] {TCP} 1.1.1.1:1792 -> 2.2.2.2:80
09/17-09:12:45.312281 00:55:44:33:22:11 -> 00:11:22:33:44:55 type:0x800 len:0x1D4
1.1.1.1:1792 -> 2.2.2.2:80 TCP TTL:64 TOS:0x0 ID:13533 IpLen:20 DgmLen:454
***AP*** Seq: 0x971  Ack: 0xB51  Win: 0x16D0  TcpLen: 20
47 45 54 20 2F 66 61 6B 65 6E 65 77 73 2F 74 6D  GET /fakenews/tm
70 25 32 66 6C 65 64 69 25 32 65 74 78 74 20 48  p%2fledi%2etxt H
54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77  TTP/1.1..Host: w
72 6C 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  rl..User-Agent:
4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 58 31 31  Mozilla/5.0 (X11
3B 20 55 3B 20 4C 69 6E 75 78 20 69 36 38 36 3B  ; U; Linux i686;
20 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 38 2E 31   en-US; rv:1.8.1
2E 31 37 29 20 47 65 63 6B 6F 2F 32 30 30 38 31  .17) Gecko/20081
30 30 37 20 46 69 72 65 66 6F 78 2F 32 2E 30 2E  007 Firefox/2.0.
30 2E 31 37 0D 0A 41 63 63 65 70 74 3A 20 74 65  0.17..Accept: te
78 74 2F 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69  xt/xml,applicati
6F 6E 2F 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69  on/xml,applicati
6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 74 65 78  on/xhtml+xml,tex
74 2F 68 74 6D 6C 3B 71 3D 30 2E 39 2C 74 65 78  t/html;q=0.9,tex
74 2F 70 6C 61 69 6E 3B 71 3D 30 2E 38 2C 69 6D  t/plain;q=0.8,im
61 67 65 2F 70 6E 67 2C 2A 2F 2A 3B 71 3D 30 2E  age/png,*/*;q=0.
35 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61  5..Accept-Langua
67 65 3A 20 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30  ge: en-us,en;q=0
2E 35 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64  .5..Accept-Encod
69 6E 67 3A 20 67 7A 69 70 2C 64 65 66 6C 61 74  ing: gzip,deflat
65 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65  e..Accept-Charse
74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 75 74  t: ISO-8859-1,ut
66 2D 38 3B 71 3D 30 2E 37 2C 2A 3B 71 3D 30 2E  f-8;q=0.7,*;q=0.
37 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33  7..Keep-Alive: 3
30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20  00..Connection:
6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A        keep-alive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


09/17-09:12:49.318085  [**] [1:1000000:0] ledi in a file [**] [Priority: 0] {TCP} 2.2.2.2:80 -> 1.1.1.1:1792
09/17-09:12:49.318085 00:11:22:33:44:55 -> 00:55:44:33:22:11 type:0x800 len:0x5F
2.2.2.2:80 -> 1.1.1.1:1792 TCP TTL:64 TOS:0x0 ID:3631 IpLen:20 DgmLen:81
***AP*** Seq: 0xCAF  Ack: 0xB0F  Win: 0x16D0  TcpLen: 20
54 68 69 73 20 66 69 6C 65 20 68 61 73 20 74 68  This file has th
65 20 63 6F 6E 74 65 6E 74 20 27 6C 65 64 69 27  e content 'ledi'
20 69 6E 20 69 74 2E 0A 0A                        in it...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of 
Keith Seymour via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Reply-To: Keith Seymour <keseymour () gmail com<mailto:keseymour () gmail com>>
Date: Sunday, September 17, 2017 at 9:48 AM
To: redion xhepa <redionxhepa () live com<mailto:redionxhepa () live com>>, "snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Subject: Re: [Snort-sigs] Content Rule problem

When I Google search it defaults to https, you wouldn't see that. You could use telnet or post the term to an 
unprotected forum?

Thanks,

Keith

On Sun, Sep 17, 2017 at 6:46 AM redion xhepa via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists 
snort org>> wrote:

I have written these rules in Snort.It detects the first three but not the content one.Why ?

alert icmp any any -> any any (msg: "ICMP Packet found"; sid: 1000001;)
alert tcp any any -> any any (msg: "TCP Packet found";sid: 1000002;)
alert udp any any -> any any (msg: "UDP Packet found";sid: 1000003;)
alert tcp any any -> any any (content: "ledi";nocase; msg: "Keyword found";sid: 1000004;)


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Attachment: ledi.conf
Description: ledi.conf

Attachment: ledi.pcap
Description: ledi.pcap

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!