[Snort-sigs] http_header ** SOLVED

Mike Messick mikem at ...1951...
Tue Jan 19 22:22:45 EST 2010


I wanted to drop a note to the list saying thanks for the help, and to 
let people know how we solved the issue.

It turns out our proxy server is generating invalid TCP checksums 
(likely due to kernel offloading checksum to NIC), and by default, snort 
appears to drop packets with invalid checksums.

While we still need to fix the proxy server problem, we added the '-k 
none' flag to snort and it's now alerting on http related rules.

Thanks again,
-Mike.


Mike Messick wrote:
> No - but when I modify the rule to:
>
> alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to microsoft.com"; content:"microsoft.com"; nocase; sid:3000004;)
>
> it will fire if I type 'microsoft.com' into the search window on 
> www.microsoft.com.
>
> gahh... This feels obvious, but I'm just not seeing it yet.
>
> -Mike.
>
>
> evilghost at ...3397... wrote:
>   
>> Mike, I'm curious, does this work?
>>
>> alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
>> www.microsoft.com"; content:"|0d 0a|Host\: www.microsoft.com|0d 0a|"; nocase; 
>> sid:3000004;)
>>
>> Note, I did not specify an HTTP method so there is potential to false against body content.
>>
>> PS - Todd says I don't need to escape colon, I'm old school.
>>
>> -evilghost
>>
>>
>>
>>
>>
>> Mike Messick wrote:
>>   
>>     
>>> Hi Folks,
>>>
>>> I'm trying to write some rules that will alert whenever a specific http 
>>> host is requested by a client.  For example:
>>>
>>> alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
>>> www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase; 
>>> sid:3000004;)
>>>
>>> However I cannot get this rule to alert.  What am I doing wrong? 
>>>
>>> I did notice this in the release notes for 2.8.6 Beta:
>>> [*] New Additions
>>>    * HTTP Inspect now splits requests into 5 components -
>>>      Method, URI, Header (non-cookie), Cookies, Body.
>>>      Content and PCRE rule options can now search one or more of these
>>>
>>> I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta? 
>>>
>>> Any help will be most appreciated.
>>>
>>> Thanks,
>>> -Mike.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Throughout its 18-year history, RSA Conference consistently attracts the
>>> world's best and brightest in the field, creating opportunities for Conference
>>> attendees to learn about information security's most important issues through
>>> interactions with peers, luminaries and emerging and established companies.
>>> http://p.sf.net/sfu/rsaconf-dev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>   
>>>     
>>>       
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for Conference
> attendees to learn about information security's most important issues through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   





More information about the Snort-sigs mailing list