[Snort-sigs] testing snort signature with uri content

MD B Zaman L mdbzaman.l at ...2420...
Thu Feb 14 03:07:48 EST 2008


Greetings  Esler,

        The following are the entries in snort.conf

      var HOME_NET 172.16.16.251
      var EXTERNAL_NET any
      var HTTP_SERVERS $HOME_NET
      portvar HTTP_PORTS [80,443]

  The HTTP server is running on 172.16.16.251

   I also  modified the snort signature to

  alert tcp  any any -> any any   (msg:"uri content testing successful ";
flow:to_server,established;
  uricontent:"/server-info";  sid:1000007; )

  But still it is not firing the alert .


   regards
   zaman



On Wed, Feb 13, 2008 at 9:34 AM, Joel Esler <joel.esler at ...435...>
wrote:

> I would first look at your directional statements.  How do you have
> $HTTP_SERVERS configured?  It is pointing towards $HOME_NET?  Is your
> $HOME_NET filled in?
> How about $EXTERNAL_NET?  How is that variable configured?
>
> J
>
> On Feb 13, 2008, at 5:49 AM, MD B Zaman L wrote:
>
> Greetings All,
>
>          I am a new user of snort . I am finding some difficulty in using
> the snort signatures with uri content.
>
>         I have created my own snort signature as follows to test for uri
> content.
>
>        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri content
> testing successful "; flow:to_server,established; uricontent:"/server-info";
>
>        sid:1000007; )
>
>
>      After that I tried to access the webpage
> http://<http_server>/server-info  and verified with ethereal whether the
> content /server-info  is generated or not.
>      Ethereal was showing that the content was generated.
>
>      But no alert was fired for the  above written signature .
>
>      Please clarify me how to test signatures with uri content.
>
>      Snort is working fine as I have checked with other signatures with no
> uricontent.
>
>        With Thanks in Advance
>
>     regards
>     zaman
>
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
>
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> --
> Joel Esler  joel.esler at ...435...
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080214/adc92246/attachment.html>


More information about the Snort-sigs mailing list