[Snort-sigs] Problems using flow quantifier

Research research at ...4016...
Thu Mar 5 13:48:18 EST 2015


Hello,

I have just begun writing my own rules for Snort 2.9.7.0.  While I am aware that there are pre-existing rules that are probably: 1) more accurate 2) more optimized and 3) time tested, I am aiming to learn how to write rules from scratch.

I currently have a basic rule that looks for a request to a web server for the “robots” file for crawling.  The idea behind this rule is to receive notification when a web crawler indexes the web server.  The early draft of the rule looks like this:

	alert tcp  $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
   		(msg:"Web crawl attempt: robots.txt"; content:"robot"; sid:10000002; rev:001)

If I perform a simple test with telnet:

	telnet www.example.org 80
	GET /robot

…I see the results in the alerts.log file in /var/log/snort.

My next step in optimizing the rule was to use the flow quantifier.  I used the established_to option to specify traffic that had already established a three way handshake and to_server to specify a flow from a client to the server.  The rule looks like:

	alert tcp  $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
   		(msg:"Web crawl attempt: robots.txt"; flow:established,to_server; content:"robot"; sid:10000002; rev:002;)

…however, my telnet test from before now does not cause an event to be logged.  If I remove the flow:established,to_server; portion, the rule then works again.

I am unaware of flow having to be in a specific position in the rule (i.e. after content), so I am not sure what the problem could be.   When I am running snort, I use the following command line:

	sudo /usr/local/bin/snort -A fast -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

I am wondering what I am doing incorrectly ?

Thanks.



More information about the Snort-sigs mailing list