[Snort-sigs] testing snort signature with uri content

MD B Zaman L mdbzaman.l at ...2420...
Thu Feb 14 06:59:08 EST 2008


On Thu, Feb 14, 2008 at 4:17 AM, Jamie Riden <jamie.riden at ...2420...> wrote:

> Just as a sanity check, have you verified that the sensor is seeing
> the appropriate packets? (ngrep or tcpdump will do).



    Ya , I have verified with ethereal and it is generating the matching
packets.
   Also , snort is working fine with other signatures like ICMP ping and
content
  matching for other ports like 53.
  I am only facing the problem with port 80. Even If i replace uricontent
  with content , it does not work

  regards
 zaman

>
>
>
>
> On 14/02/2008, MD B Zaman L <mdbzaman.l at ...2420...> wrote:
> > Greetings  Esler,
> >
> >         The following are the entries in snort.conf
> >
> >       var HOME_NET 172.16.16.251
> >       var EXTERNAL_NET any
> >       var HTTP_SERVERS $HOME_NET
> >       portvar HTTP_PORTS [80,443]
> >
> >   The HTTP server is running on 172.16.16.251
> >
> >    I also  modified the snort signature to
> >
> >   alert tcp  any any -> any any   (msg:"uri content testing successful
> ";
> > flow:to_server,established;
> >   uricontent:"/server-info";  sid:1000007; )
> >
> >   But still it is not firing the alert .
> >
> >
> >    regards
> >    zaman
> >
> >
> >
> >
> > On Wed, Feb 13, 2008 at 9:34 AM, Joel Esler <joel.esler at ...435...>
> > wrote:
> >
> > >
> > > I would first look at your directional statements.  How do you have
> > $HTTP_SERVERS configured?  It is pointing towards $HOME_NET?  Is your
> > $HOME_NET filled in?
> > >
> > >
> > > How about $EXTERNAL_NET?  How is that variable configured?
> > >
> > >
> > > J
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Feb 13, 2008, at 5:49 AM, MD B Zaman L wrote:
> > >
> > >
> > >
> > >
> > > Greetings All,
> > >
> > >          I am a new user of snort . I am finding some difficulty in
> using
> > the snort signatures with uri content.
> > >
> > >         I have created my own snort signature as follows to test for
> uri
> > content.
> > >
> > >        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri
> content
> > testing successful "; flow:to_server,established;
> uricontent:"/server-info";
> >
> > >        sid:1000007; )
> > >
> > >
> > >      After that I tried to access the webpage
> > http://<http_server>/server-info  and verified with
> > ethereal whether the content /server-info  is generated or not.
> > >      Ethereal was showing that the content was generated.
> > >
> > >      But no alert was fired for the  above written signature .
> > >
> > >      Please clarify me how to test signatures with uri content.
> > >
> > >      Snort is working fine as I have checked with other signatures
> with no
> > uricontent.
> > >
> > >        With Thanks in Advance
> > >
> > >     regards
> > >     zaman
>
> --
> Jamie Riden / jamesr at ...3216... / jamie at ...3294...
> UK Honeynet Project: http://www.ukhoneynet.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080214/b6239cec/attachment.html>


More information about the Snort-sigs mailing list