[Snort-sigs] Question about a Snort rule
nhoughton at ...435...
Fri Feb 25 11:14:30 EST 2011
On Fri, 25 Feb 2011 09:55:02 -0600, Miso Patel wrote:
> OK, I now understand why just looking for 'flags:S;' doesn't make
> sense but we want to alert on a situation where there is an
> established UDP connection AND 'iPad' in the URI so we are trying this
> one now (without luck but I feel we are getting closer):
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:A+;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:2;)
Well, as Will already pointed out, you can now use
"flow:to_server,established;" with UDP rules. You will need the
"track_udp yes," in your snort.conf for this to work. (it is in the
snort.conf that ships with current versions of snort and in the rule
tar balls too) The "flow" option completely replaced "flags" a number
of years ago.
The next thing is, you won't see "iPad", or anything else for that
matter, in an HTTP URI request. So, if your intent is to detect iPads
that are using UDP for communications, and you know that iPad will be
in that data, then you should remove the "http_uri" content modifier
If you were wanting to detect iPads trying to access web resources,
then you would be looking at TCP data and most likely you would want to
look in the HTTP headers for a request. In which case you would use
"http_header" as a content modifier.
If you have more information on what exactly you are trying to do, it
would help the folks on the list to assist.
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/
More information about the Snort-sigs