[Snort-sigs] Can't generate alerts on HTTP GET attacks

Y M snort at ...3751...
Wed Jul 2 16:09:16 EDT 2014


If you are looking for a rule covering bugtraq,10129 in general, there is a rule written already for that and should be in the community ruleset with sid:2588. If this is not what you are looking for then signatures specific to your case need to be written. However, it is not clear from the description you provided. Are those GET requests targeted to web servers run by you or by your friend? Depending on the direction, this may help:
alert tcp $EXTERNAL_NET -> $HOME_NET 80 (msg:"some message here"; flow:to_server, established; content:"/index.php?"; http_uri; content:"keywords=http"; http_uri; metadata: service http; classtype:web-application-activity; sid:xxx; rev:1;)
alert tcp $EXTERNAL_NET -> $HOME_NET 80 (msg:"some message here"; flow:to_server, established; content:"/index.php?"; http_uri; content:"vid=http"; http_uri; metadata: service http; classtype:web-application-activity; sid:xxx; rev:1;)
There is room for enhancement by adding "depth" and "distance" modifiers to the above rules, but without pcaps, it would be difficult to test. Also, you can combine both of these in one rule with little modifications and pcre. I see in your rule a content of "id=", where this is coming from?
Also, is the path "/webcomm/masonVideos/index.php" static?
YM
Date: Wed, 2 Jul 2014 15:34:17 -0400
From: sabawoon.majeedzada at ...2420...
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Can't generate alerts on HTTP GET attacks

Hi everyone, I would appreciate if someone can help me please. I am a new b.
I have to generate alerts runing pcap files that contains HTTP GET attacks(Might be a different level of attak)


Provded examples after my buddy's request. i have copied these from csv file. Sorry for the format. I have pcap files full of these attacks. But can't figure out a snort rule to generate alerts while running these packets.

This is my snort rule.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"some kind of get attack attempt"; flow:to_server,established; content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F "; http_uri; content:"id="; meta; metadata:service http; reference:bugtraq,10129; classtype:web-application-activity; sid:2588001; rev:8;)

These are the attacks I got it from my csv file but they are also in pcap format. I have a lot of these kinds of attacks stored in pcap filesbut can't generate alerts when I run snort on pcap files. 
2010-Oct-07 03:19:14.760262     someip  53181   >       someip    80      websiteurl      /webcomm/myvidoesVideos/index.php?vid=http://www.vimeo.com/moogaloop.swf?clip_id=1140523/  vid=http://www.vimeo.com/moogaloop.swf?clip_id=/ 



2010-Oct-07 01:18:50.635566 some ip 57991 > some ip 80 urofwebsite /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=http://revftdrcghjw.com/ HTTP/1.1

2010-Oct-07 01:18:51.615340 some ip 50523 > some ip 80 ureofwebsite /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=http:revftdrcghjw.com/
2010-Oct-07 01:42:00.631679 someip 34237 > someip 80 urlofwebsite /webcomm/masonVideos/index.php?vid=http:/www.vimeo.com/moogaloop.swf?clip_id=1140523/ vid=http:/www.vimeo.com/moogaloop.swf?clip_id=/ HTTP/1.1


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140702/7c7f7d6d/attachment.html>


More information about the Snort-sigs mailing list