[Snort-sigs] testing snort signature with uri content

Jamie Riden jamie.riden at ...2420...
Thu Feb 14 04:17:19 EST 2008


Just as a sanity check, have you verified that the sensor is seeing
the appropriate packets? (ngrep or tcpdump will do).

Are you getting other snort alerts from your sensor?

cheers,
 Jamie

On 14/02/2008, MD B Zaman L <mdbzaman.l at ...2420...> wrote:
> Greetings  Esler,
>
>         The following are the entries in snort.conf
>
>       var HOME_NET 172.16.16.251
>       var EXTERNAL_NET any
>       var HTTP_SERVERS $HOME_NET
>       portvar HTTP_PORTS [80,443]
>
>   The HTTP server is running on 172.16.16.251
>
>    I also  modified the snort signature to
>
>   alert tcp  any any -> any any   (msg:"uri content testing successful ";
> flow:to_server,established;
>   uricontent:"/server-info";  sid:1000007; )
>
>   But still it is not firing the alert .
>
>
>    regards
>    zaman
>
>
>
>
> On Wed, Feb 13, 2008 at 9:34 AM, Joel Esler <joel.esler at ...435...>
> wrote:
>
> >
> > I would first look at your directional statements.  How do you have
> $HTTP_SERVERS configured?  It is pointing towards $HOME_NET?  Is your
> $HOME_NET filled in?
> >
> >
> > How about $EXTERNAL_NET?  How is that variable configured?
> >
> >
> > J
> >
> >
> >
> >
> >
> >
> > On Feb 13, 2008, at 5:49 AM, MD B Zaman L wrote:
> >
> >
> >
> >
> > Greetings All,
> >
> >          I am a new user of snort . I am finding some difficulty in using
> the snort signatures with uri content.
> >
> >         I have created my own snort signature as follows to test for uri
> content.
> >
> >        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri content
> testing successful "; flow:to_server,established; uricontent:"/server-info";
>
> >        sid:1000007; )
> >
> >
> >      After that I tried to access the webpage
> http://<http_server>/server-info  and verified with
> ethereal whether the content /server-info  is generated or not.
> >      Ethereal was showing that the content was generated.
> >
> >      But no alert was fired for the  above written signature .
> >
> >      Please clarify me how to test signatures with uri content.
> >
> >      Snort is working fine as I have checked with other signatures with no
> uricontent.
> >
> >        With Thanks in Advance
> >
> >     regards
> >     zaman

-- 
Jamie Riden / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/




More information about the Snort-sigs mailing list