[Snort-sigs] Question about a Snort rule

Matt Olney molney at ...435...
Fri Feb 25 12:31:35 EST 2011


That and it is fairly rare to find URI data or TCP flags in UDP packets.

On Fri, Feb 25, 2011 at 11:14 AM, Nigel Houghton
<nhoughton at ...435...>wrote:

> On Fri, 25 Feb 2011 09:55:02 -0600, Miso Patel wrote:
> > OK, I now understand why just looking for 'flags:S;' doesn't make
> > sense but we want to alert on a situation where there is an
> > established UDP connection AND 'iPad' in the URI so we are trying this
> > one now (without luck but I feel we are getting closer):
> >
> > alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> > request"; content:"iPad"; http_uri; nocase; flags:A+;
> > classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> > sid:18954545; rev:2;)
>
> Well, as Will already pointed out, you can now use
> "flow:to_server,established;" with UDP rules. You will need the
> "track_udp yes," in your snort.conf for this to work. (it is in the
> snort.conf that ships with current versions of snort and in the rule
> tar balls too) The "flow" option completely replaced "flags" a number
> of years ago.
>
> The next thing is, you won't see "iPad", or anything else for that
> matter, in an HTTP URI request. So, if your intent is to detect iPads
> that are using UDP for communications, and you know that iPad will be
> in that data, then you should remove the "http_uri" content modifier
> altogether.
>
> If you were wanting to detect iPads trying to access web resources,
> then you would be looking at TCP data and most likely you would want to
> look in the HTTP headers for a request. In which case you would use
> "http_header" as a content modifier.
>
> If you have more information on what exactly you are trying to do, it
> would help the folks on the list to assist.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/
>
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110225/561b8c00/attachment.html>


More information about the Snort-sigs mailing list