[Snort-devel] (no subject)

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue Oct 22 20:37:09 EDT 2002


A group of us that use and monitor snort related stuff meets every so
often to talk about 'stuff'... And though I think I've heard this
before, I can't seem to find it. So here it is:

It would be highly "COOL" if there were a flag that could be set within
a rule that identified what type of response was returned from an HTTP
daemon. This way, web rules would be able to have many false positives
removed, since in the vast majority of cases an non OK (200) message
would mean the attempt failed.  I relize it may cause problems, because
you're requiring the inspection of multiple packets... And some rules
that have uricontent actually are responses from servers, so I'm not
really sure how all that would work out at this point....  

So a rule could be created as such:

Original ->
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar-admin.pl access"; flow:to_server,established;
uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215;
classtype:web-application-activity; sid:1701; rev:3;)
New ->
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar-admin.pl access"; flow:to_server,established;
uricontent:"/calendar-admin.pl"; nocase; http-status-code:successful;
reference:bugtraq,1215; classtype:web-application-activity; sid:1701;
rev:3;)

Possible groupings for different types of responses:
1. successful
	one of the 200's and possibly 300's
2. failure
	any 400 or 500
3. serverror
	any 500
4. bad
	any 400
5. redir
	any 300 (possibly excluding 304)
6. ok
	200 (possibly all other 200s)


Should probably also allow a comma seperated list of http status codes.
And the name for it can easily be different (http-return-code, httpcode,
httpreturn, httpstatus...)

http://www.w3.org/Protocols/HTTP/HTRESP.html




More information about the Snort-devel mailing list