Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SUSPECTED SPAM] Returned Errors for CISA Snort Rules

From: "Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Tue, 18 Jan 2022 16:42:58 +0000
That looks like an abuse of classtype, but to add new classtypes for Snort 2 you need to update 
etc/classification.config.
________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of chris <chris () shadowserver org>
Sent: Thursday, January 6, 2022 7:20 PM
To: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: [SUSPECTED SPAM] [Snort-sigs] Returned Errors for CISA Snort Rules

Hello,
I've been trying to implement Snort rules provided by the CISA but I'm
receiving errors when the classtype field contains the value "http-uri"
or "http-header"  (examples provided below). These are not default Snort
classtypes. Can someone provide some insight on how to either define
these classtypes OR provide a good alternative classtype?
Thanks in advance for any insight you can provide!

Best,
Chris

alert tcp any any -> any $HTTP_PORTS (msg:"NANOCORE:HTTP GET URI
contains 'FAD00979338'"; sid:00000000; rev:1;
flow:established,to_server; content:"GET"; http_method;
content:"getPluginName.php?PluginID=FAD00979338"; fast_pattern;
http_uri; classtype:http-uri; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains
'host|3a 20|polkiuj.top'"; sid:00000000; rev:1;
flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged;
content:"host|3a 20|polkiuj.top|0d 0a|"; http_header; fast_pattern:only;
flowbits:set,<unique_ID>.tagged; tag:session,10,packets;
classtype:http-header; metadata:service http;)
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: