[Snort-sigs] Question about a Snort rule

Miso Patel miso.patel at ...2420...
Fri Feb 25 10:55:02 EST 2011

OK, I now understand why just looking for 'flags:S;' doesn't make
sense but we want to alert on a situation where there is an
established UDP connection AND 'iPad' in the URI so we are trying this
one now (without luck but I feel we are getting closer):

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
request"; content:"iPad"; http_uri; nocase; flags:A+;
classtype:bad-unknown; reference:url,www.apple.com/ipad/;
sid:18954545; rev:2;)


Miso, CISO

On 2/25/11, Nigel Houghton <nhoughton at ...435...> wrote:
> On Fri, 25 Feb 2011 09:21:14 -0600, Miso Patel wrote:
>> My engineers are having trouble with a custom rule:
>> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
>> request"; content:"iPad"; http_uri; nocase; flags:S;
>> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
>> sid:18954545; rev:1;)
>> Any help would be appreciated.  The rule does not seem to be alerting
>> for some reason and I think this could be a bug with Snort.
>> Thanks.
>> Miso, CISO
> Your rule is looking for "iPad" in a URI. So for the event to occur you
> would need something like http://www.foobar.com/foo/iPad
> Additionally, you are using "flags:S;" so the only data you are looking
> at is in SYN packets, so there won't be a URI in the packets anyway.
> Take a look at the latest Snort manual, there are examples of rules
> using the http options in there, get some packet capture data of the
> traffic you wish to detect and take it from there.
> I'm guessing you will have more questions as you proceed, feel free to
> email the list with them. Send your revised rule to the list if you
> like for further inspection.
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/

More information about the Snort-sigs mailing list