snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] Question about a Snort rule

Re: [Snort-sigs] Question about a Snort rule

From: Korodev <korodev_at_nospam>
Date: Fri Feb 25 2011 - 15:35:32 GMT
To: Miso Patel <miso.patel@gmail.com>

> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)

This rule is way off. What are you trying to do here? If you're trying
to alert on iPad's browsing the web on your network, then a much
better place to start would be looking at the user agent.

A few things to consider:

1) UDP is not used in regards to HTTP. So you should replace UDP with TCP.

2) You've limited the rule to only alert on matching SYN packets. I
won't mention that there are no SYN packets in UDP, but if it's likely
most of your intended content matches will not by in the initial syn
packet.

3) The http_uri flag limits your content match to the URL.

\\korodev

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org