[Snort-sigs] Can't generate alerts on HTTP GET attacks

rmkml rmkml at ...174...
Wed Jul 2 16:38:29 EDT 2014


Welcome Sabawoon and Thx Ryan and YM,

Don't forget:
-only for testing, disable cksum verification (-k none)
-check var $EXTERNAL_NET $HTTP_SERVERS $HTTP_PORTS
-record network traffic if you need and check/replay
-simply your test with only one test and check snort stats http preproc verbose output
-check if snort not warn for http broken for example
-if not work, simplify your sig and test again... (it's work with simply /index.php ?)
-snort "normalize" http_uri: don't use %3A, use :
-and special normalize %2F%2F: use only one /
-remove extra space on ending http_uri
-if not work please post snort version + conf + verbose output + pcap please

Best Regards
@Rmkml



On Wed, 2 Jul 2014, Y M wrote:

> If you are looking for a rule covering bugtraq,10129 in general, there is a rule written already for that and should be in the community ruleset with sid:2588. If this is not what you are looking for then signatures
> specific to your case need to be written. However, it is not clear from the description you provided. Are those GET requests targeted to web servers run by you or by your friend? Depending on the direction, this may
> help:
> alert tcp $EXTERNAL_NET -> $HOME_NET 80 (msg:"some message here"; flow:to_server, established; content:"/index.php?"; http_uri; content:"keywords=http"; http_uri; metadata: service http;
> classtype:web-application-activity; sid:xxx; rev:1;)
> 
> alert tcp $EXTERNAL_NET -> $HOME_NET 80 (msg:"some message here"; flow:to_server, established; content:"/index.php?"; http_uri; content:"vid=http"; http_uri; metadata: service http; classtype:web-application-activity;
> sid:xxx; rev:1;)
> 
> There is room for enhancement by adding "depth" and "distance" modifiers to the above rules, but without pcaps, it would be difficult to test. Also, you can combine both of these in one rule with little modifications and
> pcre. I see in your rule a content of "id=", where this is coming from?
> 
> Also, is the path "/webcomm/masonVideos/index.php" static?
> 
> YM
> 
> ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> Date: Wed, 2 Jul 2014 15:34:17 -0400
> From: sabawoon.majeedzada at ...2420...
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Can't generate alerts on HTTP GET attacks
> 
> Hi everyone, I would appreciate if someone can help me please. I am a new b.
> I have to generate alerts runing pcap files that contains HTTP GET attacks(Might be a different level of attak)
> 
> Provded examples after my buddy's request. i have copied these from csv file. Sorry for the format. I have pcap files full of these attacks. But can't figure out a snort rule to generate alerts while running these
> packets.
> 
> This is my snort rule.
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"some kind of get attack attempt"; flow:to_server,established; content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F "; http_uri; content:"id=";
> meta; metadata:service http; reference:bugtraq,10129; classtype:web-application-activity; sid:2588001; rev:8;)
> 
> These are the attacks I got it from my csv file but they are also in pcap format. I have a lot of these kinds of attacks stored in pcap filesbut can't generate alerts when I run snort on pcap files. 
> 
> 2010-Oct-07 03:19:14.760262     someip  53181   >       someip    80      websiteurl      /webcomm/myvidoesVideos/index.php?vid=http://www.vimeo.com/moogaloop.swf?clip_id=1140523/
>  vid=http://www.vimeo.com/moogaloop.swf?clip_id=/ 
> 
> 
> 2010-Oct-07 01:18:50.635566 some ip 57991 > some ip 80 urofwebsite /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=http://revftdrcghjw.com/ HTTP/1.1
> 
> 2010-Oct-07 01:18:51.615340 some ip 50523 > some ip 80 ureofwebsite /index.php?keywords=http%3A%2F%2Frevftdrcghjw.com%2F keywords=http:revftdrcghjw.com/
> 
> 2010-Oct-07 01:42:00.631679 someip 34237 > someip 80 urlofwebsite /webcomm/masonVideos/index.php?vid=http:/www.vimeo.com/moogaloop.swf?clip_id=1140523/ vid=http:/www.vimeo.com/moogaloop.swf?clip_id=/ HTTP/1.1
>


More information about the Snort-sigs mailing list