[Snort-sigs] Question about a Snort rule

Nigel Houghton nhoughton at ...435...
Fri Feb 25 10:39:36 EST 2011

On Fri, 25 Feb 2011 09:21:14 -0600, Miso Patel wrote:
> My engineers are having trouble with a custom rule:
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)
> Any help would be appreciated.  The rule does not seem to be alerting
> for some reason and I think this could be a bug with Snort.
> Thanks.
> Miso, CISO

Your rule is looking for "iPad" in a URI. So for the event to occur you 
would need something like http://www.foobar.com/foo/iPad

Additionally, you are using "flags:S;" so the only data you are looking 
at is in SYN packets, so there won't be a URI in the packets anyway.

Take a look at the latest Snort manual, there are examples of rules 
using the http options in there, get some packet capture data of the 
traffic you wish to detect and take it from there.

I'm guessing you will have more questions as you proceed, feel free to 
email the list with them. Send your revised rule to the list if you 
like for further inspection.

Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

More information about the Snort-sigs mailing list