[Snort-sigs] Question about a Snort rule

Nigel Houghton nhoughton at ...435...
Fri Feb 25 11:14:30 EST 2011

On Fri, 25 Feb 2011 09:55:02 -0600, Miso Patel wrote:
> OK, I now understand why just looking for 'flags:S;' doesn't make
> sense but we want to alert on a situation where there is an
> established UDP connection AND 'iPad' in the URI so we are trying this
> one now (without luck but I feel we are getting closer):
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:A+;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:2;)

Well, as Will already pointed out, you can now use 
"flow:to_server,established;" with UDP rules. You will need the 
"track_udp yes," in your snort.conf for this to work. (it is in the 
snort.conf that ships with current versions of snort and in the rule 
tar balls too) The "flow" option completely replaced "flags" a number 
of years ago.

The next thing is, you won't see "iPad", or anything else for that 
matter, in an HTTP URI request. So, if your intent is to detect iPads 
that are using UDP for communications, and you know that iPad will be 
in that data, then you should remove the "http_uri" content modifier 

If you were wanting to detect iPads trying to access web resources, 
then you would be looking at TCP data and most likely you would want to 
look in the HTTP headers for a request. In which case you would use 
"http_header" as a content modifier.

If you have more information on what exactly you are trying to do, it 
would help the folks on the list to assist.

Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

More information about the Snort-sigs mailing list