snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] Question about a Snort rule

Re: [Snort-sigs] Question about a Snort rule

From: Miso Patel <miso.patel_at_nospam>
Date: Fri Feb 25 2011 - 15:55:02 GMT
To: Nigel Houghton <nhoughton@sourcefire.com>

OK, I now understand why just looking for 'flags:S;' doesn't make
sense but we want to alert on a situation where there is an
established UDP connection AND 'iPad' in the URI so we are trying this
one now (without luck but I feel we are getting closer):

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
request"; content:"iPad"; http_uri; nocase; flags:A+;
classtype:bad-unknown; reference:url,www.apple.com/ipad/;
sid:18954545; rev:2;)

Thanks.

Miso, CISO

On 2/25/11, Nigel Houghton <nhoughton@sourcefire.com> wrote:
> On Fri, 25 Feb 2011 09:21:14 -0600, Miso Patel wrote:
>> My engineers are having trouble with a custom rule:
>>
>> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
>> request"; content:"iPad"; http_uri; nocase; flags:S;
>> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
>> sid:18954545; rev:1;)
>>
>> Any help would be appreciated. The rule does not seem to be alerting
>> for some reason and I think this could be a bug with Snort.
>>
>> Thanks.
>>
>> Miso, CISO
>
> Your rule is looking for "iPad" in a URI. So for the event to occur you
> would need something like http://www.foobar.com/foo/iPad
>
> Additionally, you are using "flags:S;" so the only data you are looking
> at is in SYN packets, so there won't be a URI in the packets anyway.
>
> Take a look at the latest Snort manual, there are examples of rules
> using the http options in there, get some packet capture data of the
> traffic you wish to detect and take it from there.
>
> I'm guessing you will have more questions as you proceed, feel free to
> email the list with them. Send your revised rule to the list if you
> like for further inspection.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/
>

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org