[Snort-sigs] Question about a Snort rule

Korodev korodev at ...2420...
Fri Feb 25 10:35:32 EST 2011


> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)

This rule is way off. What are you trying to do here? If you're trying
to alert on iPad's browsing the web on your network, then a much
better place to start would be looking at the user agent.

A few things to consider:

1) UDP is not used in regards to HTTP. So you should replace UDP with TCP.

2) You've limited the rule to only alert on matching SYN packets. I
won't mention that there are no SYN packets in UDP, but if it's likely
most of your intended content matches will not by in the initial syn
packet.

3) The http_uri flag limits your content match to the URL.

\\korodev




More information about the Snort-sigs mailing list