[Snort-sigs] testing snort signature with uri content

Matthew Watchinski mwatchinski at ...435...
Thu Feb 14 10:26:35 EST 2008


Are you generating your test traffic from the same system running snort?

If so you might want to try the following:

If you run tcpdump -i <interface> -nvvvv | egrep -i (bad|invalid)

Do you see anything?

If so you'll need to run snort with "-k none" for your testing which 
turns off validation of checksums.

-matt

MD B Zaman L wrote:
> On Thu, Feb 14, 2008 at 4:17 AM, Jamie Riden <jamie.riden at ...2420...> wrote:
> 
>> Just as a sanity check, have you verified that the sensor is seeing
>> the appropriate packets? (ngrep or tcpdump will do).
> 
> 
> 
>     Ya , I have verified with ethereal and it is generating the matching
> packets.
>    Also , snort is working fine with other signatures like ICMP ping and
> content
>   matching for other ports like 53.
>   I am only facing the problem with port 80. Even If i replace uricontent
>   with content , it does not work
> 
>   regards
>  zaman
> 
>>
>>
>>
>> On 14/02/2008, MD B Zaman L <mdbzaman.l at ...2420...> wrote:
>>> Greetings  Esler,
>>>
>>>         The following are the entries in snort.conf
>>>
>>>       var HOME_NET 172.16.16.251
>>>       var EXTERNAL_NET any
>>>       var HTTP_SERVERS $HOME_NET
>>>       portvar HTTP_PORTS [80,443]
>>>
>>>   The HTTP server is running on 172.16.16.251
>>>
>>>    I also  modified the snort signature to
>>>
>>>   alert tcp  any any -> any any   (msg:"uri content testing successful
>> ";
>>> flow:to_server,established;
>>>   uricontent:"/server-info";  sid:1000007; )
>>>
>>>   But still it is not firing the alert .
>>>
>>>
>>>    regards
>>>    zaman
>>>
>>>
>>>
>>>
>>> On Wed, Feb 13, 2008 at 9:34 AM, Joel Esler <joel.esler at ...435...>
>>> wrote:
>>>
>>>> I would first look at your directional statements.  How do you have
>>> $HTTP_SERVERS configured?  It is pointing towards $HOME_NET?  Is your
>>> $HOME_NET filled in?
>>>>
>>>> How about $EXTERNAL_NET?  How is that variable configured?
>>>>
>>>>
>>>> J
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Feb 13, 2008, at 5:49 AM, MD B Zaman L wrote:
>>>>
>>>>
>>>>
>>>>
>>>> Greetings All,
>>>>
>>>>          I am a new user of snort . I am finding some difficulty in
>> using
>>> the snort signatures with uri content.
>>>>         I have created my own snort signature as follows to test for
>> uri
>>> content.
>>>>        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri
>> content
>>> testing successful "; flow:to_server,established;
>> uricontent:"/server-info";
>>>>        sid:1000007; )
>>>>
>>>>
>>>>      After that I tried to access the webpage
>>> http://<http_server>/server-info  and verified with
>>> ethereal whether the content /server-info  is generated or not.
>>>>      Ethereal was showing that the content was generated.
>>>>
>>>>      But no alert was fired for the  above written signature .
>>>>
>>>>      Please clarify me how to test signatures with uri content.
>>>>
>>>>      Snort is working fine as I have checked with other signatures
>> with no
>>> uricontent.
>>>>        With Thanks in Advance
>>>>
>>>>     regards
>>>>     zaman
>> --
>> Jamie Riden / jamesr at ...3216... / jamie at ...3294...
>> UK Honeynet Project: http://www.ukhoneynet.org/
>>
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list