[Snort-sigs] Help with a signature

Alex Kirk akirk at ...435...
Sat Sep 15 16:56:47 EDT 2012


Actually, you just want to use http_uri as a modifier to the content match.
uricontent is long since deprecated.

Also, given that I see your PCAP is missing bytes, you might want to try on
a more complete PCAP. You may be running into confusion with the stream or
http preprocessors, which could be discarding the incomplete request.
On Sep 15, 2012 10:25 AM, "Jamie Riden" <jamie.riden at ...2420...> wrote:

> Not exactly sure why this didn't match, but you should try uricontent
> instead of content - it's normalised by the http_preprocessor.
>
> I believe there are some bleeding edge rules which match on =http if you
> want to compare - it's a more general RFI signature.
>
> cheers,
>  Jamie
>
> On 14 September 2012 14:06, Wilson, Dave <Dave.Wilson at ...3732...> wrote:
>
>> Hello,****
>>
>> ** **
>>
>> I'm trying to create a snort rule that will alert on traffic that
>> contains "rfihub" as part of the url.  Here is an example of the TCP stream
>> of a packet that I'd want to alert on.****
>>
>> ** **
>>
>> 00000000  47 45 54 20 2f 63 6d 3f  70 69 64 3d 32 30 37 36        GET
>> /cm? pid=2076****
>>
>> 00000010  32 35 30 66 2d 39 32 63  32 2d 34 65 63 64 2d 39      250f-92c
>> 2-4ecd-9****
>>
>> 00000020  30 34 33 2d 63 63 36 33  65 65 36 63 34 35 37 37      043-cc63
>> ee6c4577****
>>
>> 00000030  26 64 73 74 3d 68 74 74  70 25 33 41 25 32 46 25      &dst=htt
>> p%3A%2F%****
>>
>> 00000040  32 46 70 2e 72 66 69 68  75 62 2e 63 6f 6d 25 32       2Fp.rfih
>> ub.com%2****
>>
>> 00000050  46 63 6d 25 33 46 69 6e
>>                         Fcm%3Fin ****
>>
>> 00000058  5b 31 32 37 32 20 62 79  74 65 73 20 6d 69 73 73      [1272 by
>> tes miss****
>>
>> 00000068  69 6e 67 20 69 6e 20 63  61 70 74 75 72 65 20 66      ing in c
>> apture f****
>>
>> 00000078  69 6c 65 5d
>>                                         ile]****
>>
>> 0000007C  61 74 68 65 72 2e 63 6f  6d 25 32 46 6d 61 6e 61      ather.com%2Fmana
>> ****
>>
>> 0000008C  67 65 64 66 65 25 32 46  6d 61 6b 65 52 65 71 75     gedfe%2F
>> makeRequ****
>>
>> 0000009C  65 73 74 2d 6d 61 78 2e  68 74 6d 6c 25 33 46 70     est-max.
>> html%3Fp****
>>
>> 000000AC  6f 73 25 33 44 57 58 5f  54 6f 70 33 30 30 56 61       os%3DWX_
>> Top300Va****
>>
>> 000000BC  72 69 61 62 6c 65 26 70  66 3d 0d 0a 43 6f 6f 6b       riable&p
>> f=..Cook****
>>
>> 000000CC  69 65 3a 20 69 3d 65 31
>>                    ie: i=e1 ****
>>
>> 00000000  48 54 54 50 2f 31 2e 31  20 33 30 32 20 4f 4b 0d
>> HTTP/1.1  302 OK.****
>>
>> 00000010  0a 43 6f 6e 74 65 6e 74  2d 54 79 70 65 3a 20 74       .Content
>> -Type: t****
>>
>> 00000020  65 78 74 2f 68 74 6d 6c  3b 20 63 68 61 72 73 65       ext/html
>> ; charse****
>>
>> 00000030  74 3d 75 74 66 2d 38 0d  0a 50 33 50 3a 20 43 50      t=utf-8.
>> .P3P: CP****
>>
>> 00000040  3d 22 43 55 52 20 41 44  4d 20 4f 55 52 20 4e 4f        ="CUR
>> AD M OUR NO****
>>
>> 00000050  52 20 53 54 41 20 4e 49
>>                   R STA NI ****
>>
>> ** **
>>
>> ** **
>>
>> Here is the rule I put together:****
>>
>> ** **
>>
>> ** **
>>
>> alert tcp any any -> any any (msg:"Zeroaccess variant"; content:"|72 66
>> 69 68 75 62|" sid:1000001;)****
>>
>> ** **
>>
>> ** **
>>
>> When feed the pcap into snort, It'll process it, but not alert.  I've
>> tried changing the protocol from tcp to http, but snort chokes and tells me
>> "Bad Protocol: http"****
>>
>> ** **
>>
>> I'm still very new at writing snort rules, so I apologize in advance for
>> any helpful details I've left out.  I really appreciate any
>> assistance...thank you.****
>>
>> ** **
>>
>> Dave****
>>
>>
>> ------------------------------------------------------------------------------
>> How fast is your code?
>> 3 out of 4 devs don\\\'t know how their code performs in production.
>> Find out how slow your code is with AppDynamics Lite.
>> http://ad.doubleclick.net/clk;262219672;13503038;z?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
>
> --
> Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
> http://uk.linkedin.com/in/jamieriden
>
>
>
>
>
> ------------------------------------------------------------------------------
> How fast is your code?
> 3 out of 4 devs don\\\'t know how their code performs in production.
> Find out how slow your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219672;13503038;z?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120915/e837d4e8/attachment.html>


More information about the Snort-sigs mailing list