[Snort-sigs] TEST RULE for WhiteHat Security XST
bmc at ...95...
Wed Jan 22 21:28:04 EST 2003
On Thu, Jan 23, 2003 at 01:35:05AM +0100, unspawn wrote:
> I came up with this basic test rule:
> # XST TRACE test rule: www.whitehatsec.com/press_releases/WH-PR-20030120.txt*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "XST TRACE
> request"; content: "|54 52 41 43 45|"; sid: 10011; classtype:
> web-application-activity; rev: 1;)
> I think using stuff like flow and uricontent it could read something like:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (flow:
> from_client; msg: "XST TRACE request"; uricontent: "TRACE"; sid: 10010;
> reference: url,http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt;
> classtype: web-application-activity; rev: 1;)
> but somehow my Snort-1.9 doesn't accept "reference:url,http(etc, etc)".
> TIA for constructive comments, unSpawn
Ok, here are a couple comments that should help you in the future.
1) Don't use hex unless you have to. It makes the rules unreadable to
the average mortal.
2) URL references are specified without the protocol portion of the
reference. eg => reference:url,www.snort.org
3) As TRACE is the method, don't use uricontent. This only looks for
the uri portion of the request. In this example:
GET /index.html HTTP/1.0
the uricontent is "/index.html"
4) For personal rules, please use the sid:1000000 and above.
More information about the Snort-sigs