[Snort-sigs] SOLVED - Trouble with HTTP status message rule

Research research at ...4016...
Thu Mar 12 18:02:36 EDT 2015


On Mar 12, 2015, at 5:57 PM, Research <research at ...4016...> wrote:

> Hello,
> 
> I am currently writing a rather basic rule to track 404 resource not found instances in Snort on a web server.  While I am aware that the logs for the web server process themselves track this, I’d like to generate a Snort rule that does the same for some testing.
> 
> Currently my rule is:
> 
> 	alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
>         	(msg: "Web resource not found"; flow:established,to_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)
> 
> I have used the http_stat_code modifier for the content, but when I attempt to locate a non-existent resource:
> 
> 	http://mywebserver.com/notthere
> 
> …the rule does not fire.
> 
> I was wondering what I am missing.
> 
> Thanks

Discovered what I was doing wrong.  Should have been tracking this as a response *FROM* the server, not inbound traffic.

The following rule solves the problem:

	alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any \
        	(msg: "Web resource not found"; flow:established,from_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150312/8afda160/attachment.html>


More information about the Snort-sigs mailing list