[Snort-sigs] TEST RULE for WhiteHat Security XST

Brian bmc at ...95...
Wed Jan 22 21:28:04 EST 2003


On Thu, Jan 23, 2003 at 01:35:05AM +0100, unspawn wrote:
> I came up with this basic test rule:
> # XST TRACE test rule: www.whitehatsec.com/press_releases/WH-PR-20030120.txt*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "XST TRACE 
> request"; content: "|54 52 41 43 45|"; sid: 10011; classtype: 
> web-application-activity; rev: 1;)
> 
> I think using stuff like flow and uricontent it could read something like:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (flow: 
> from_client; msg: "XST TRACE request"; uricontent: "TRACE"; sid: 10010; 
> reference: url,http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt; 
> classtype: web-application-activity; rev: 1;)
> 
> but somehow my Snort-1.9 doesn't accept "reference:url,http(etc, etc)".
> 
> TIA for constructive comments, unSpawn

Ok, here are a couple comments that should help you in the future.

1) Don't use hex unless you have to.  It makes the rules unreadable to
   the average mortal.
2) URL references are specified without the protocol portion of the
   reference.  eg => reference:url,www.snort.org
3) As TRACE is the method, don't use uricontent.  This only looks for
   the uri portion of the request.  In this example:
      GET /index.html HTTP/1.0
   the uricontent is "/index.html"
4) For personal rules, please use the sid:1000000 and above.

-brian




More information about the Snort-sigs mailing list