[Snort-sigs] Question about a Snort rule
nhoughton at ...435...
Fri Feb 25 10:39:36 EST 2011
On Fri, 25 Feb 2011 09:21:14 -0600, Miso Patel wrote:
> My engineers are having trouble with a custom rule:
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)
> Any help would be appreciated. The rule does not seem to be alerting
> for some reason and I think this could be a bug with Snort.
> Miso, CISO
Your rule is looking for "iPad" in a URI. So for the event to occur you
would need something like http://www.foobar.com/foo/iPad
Additionally, you are using "flags:S;" so the only data you are looking
at is in SYN packets, so there won't be a URI in the packets anyway.
Take a look at the latest Snort manual, there are examples of rules
using the http options in there, get some packet capture data of the
traffic you wish to detect and take it from there.
I'm guessing you will have more questions as you proceed, feel free to
email the list with them. Send your revised rule to the list if you
like for further inspection.
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/
More information about the Snort-sigs