[Snort-sigs] Can't generate alerts on HTTP GET attacks

Sabawoon Mageedzada sabawoon.majeedzada at ...2420...
Wed Jul 2 15:34:17 EDT 2014


Hi everyone, I would appreciate if someone can help me please. I am a new b.

I have to generate alerts runing pcap files that contains HTTP GET
attacks(Might be a different level of attak)

Provded examples after my buddy's request. i have copied these from csv
file. Sorry for the format. I have pcap files full of these attacks. But
can't figure out a snort rule to generate alerts while running these
packets.

*This is my snort rule.*

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"some kind of
get attack attempt"; flow:to_server,established;
content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F "; http_uri;
content:"id="; meta; metadata:service http; reference:bugtraq,10129;
classtype:web-application-activity; sid:2588001; rev:8;)

*These are the attacks I got it from my csv file but they are also in pcap
format. I have a lot of these kinds of attacks stored in pcap filesbut
can't generate alerts when I run snort on pcap files. *

*2010-Oct-07 03:19:14.760262     someip  53181   >       someip    80
 websiteurl
 /webcomm/myvidoesVideos/index.php?vid=http://www.vimeo.com/moogaloop.swf?clip_id=1140523/
<http://www.vimeo.com/moogaloop.swf?clip_id=1140523/>
**vid=http://www.vimeo.com/moogaloop.swf?clip_id=/
<http://www.vimeo.com/moogaloop.swf?clip_id=/> *


2010-Oct-07 01:18:50.635566 some ip 57991 > some ip 80 urofwebsite
/index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=
http://revftdrcghjw.com/ HTTP/1.1

2010-Oct-07 01:18:51.615340 some ip 50523 > some ip 80 ureofwebsite
/index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=http:
revftdrcghjw.com/

2010-Oct-07 01:42:00.631679 someip 34237 > someip 80 urlofwebsite
/webcomm/masonVideos/index.php?vid=http:/
www.vimeo.com/moogaloop.swf?clip_id=1140523/ vid=http:/
www.vimeo.com/moogaloop.swf?clip_id=/ HTTP/1.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140702/c38854f4/attachment.html>


More information about the Snort-sigs mailing list