[Snort-sigs] Can't generate alerts on HTTP GET attacks

Ryan ryan at ...3929...
Wed Jul 2 15:42:23 EDT 2014


You have a double slash (//) at the beginning of your content match
filter.  "//index.php?" vs "/index.php?"

Also, you could add:
content:"GET"; http_method;

-Ryan!

On 7/2/14 2:34 PM, Sabawoon Mageedzada wrote:
> Hi everyone, I would appreciate if someone can help me please. I am a
> new b.
>
> I have to generate alerts runing pcap files that contains HTTP GET
> attacks(Might be a different level of attak)
>
> Provded examples after my buddy's request. i have copied these from
> csv file. Sorry for the format. I have pcap files full of these
> attacks. But can't figure out a snort rule to generate alerts while
> running these packets.
>
> *This is my snort rule.*
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"some
> kind of get attack attempt"; flow:to_server,established;
> content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F ";
> http_uri; content:"id="; meta; metadata:service http;
> reference:bugtraq,10129; classtype:web-application-activity;
> sid:2588001; rev:8;)
>
> *These are the attacks I got it from my csv file but they are also in
> pcap format. I have a lot of these kinds of attacks stored in pcap
> filesbut can't generate alerts when I run snort on pcap files. *
>
> *2010-Oct-07 03:19:14.760262     someip  53181   >       someip    80
>      websiteurl    
>  /webcomm/myvidoesVideos/index.php?vid=http://www.vimeo.com/moogaloop.swf?clip_id=1140523/
>  **vid=http://www.vimeo.com/moogaloop.swf?clip_id=/ *
>
> *
> *
>
> 2010-Oct-07 01:18:50.635566 some ip 57991 > some ip 80 urofwebsite
> /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F
> keywords=http://revftdrcghjw.com/ HTTP/1.1
>
> 2010-Oct-07 01:18:51.615340 some ip 50523 > some ip 80 ureofwebsite
> /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F
> keywords=http:revftdrcghjw.com/ <http://revftdrcghjw.com/>
>
> 2010-Oct-07 01:42:00.631679 someip 34237 > someip 80 urlofwebsite
> /webcomm/masonVideos/index.php?vid=http:/www.vimeo.com/moogaloop.swf?clip_id=1140523/
> <http://www.vimeo.com/moogaloop.swf?clip_id=1140523/>
> vid=http:/www.vimeo.com/moogaloop.swf?clip_id=/
> <http://www.vimeo.com/moogaloop.swf?clip_id=/> HTTP/1.1
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140702/f2c621cb/attachment.sig>


More information about the Snort-sigs mailing list