[Snort-sigs] SOLVED - Trouble with HTTP status message rule
research at ...4016...
Thu Mar 12 18:02:36 EDT 2015
On Mar 12, 2015, at 5:57 PM, Research <research at ...4016...> wrote:
> I am currently writing a rather basic rule to track 404 resource not found instances in Snort on a web server. While I am aware that the logs for the web server process themselves track this, I’d like to generate a Snort rule that does the same for some testing.
> Currently my rule is:
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
> (msg: "Web resource not found"; flow:established,to_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)
> I have used the http_stat_code modifier for the content, but when I attempt to locate a non-existent resource:
> …the rule does not fire.
> I was wondering what I am missing.
Discovered what I was doing wrong. Should have been tracking this as a response *FROM* the server, not inbound traffic.
The following rule solves the problem:
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any \
(msg: "Web resource not found"; flow:established,from_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs