[Snort-sigs] Trouble with HTTP status message rule

lists at ...3397... lists at ...3397...
Thu Mar 12 18:02:50 EDT 2015


On 03/12/2015 04:57 PM, Research wrote:
> Currently my rule is:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
>         (msg: "Web resource not found";
> flow:established,to_server; content:"404"; http_stat_code; priority:4;
> sid:2000110; rev:001;)
> 
> http://mywebserver.com/notthere
> 
> …the rule does not fire.
> 
> I was wondering what I am missing.

The direction of the rule seems wrong to me since the HTTPd would be going "HTTP
404" to the client.  I can't think of where the client would be sending an HTTP
Response code for an HTTP Request.  I think you want to flip it, and once you
do, it'll work.  Not sure why it fires in testing honestly unless you have '404'
somewhere in your HTTP Request...

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"Web resource not
found"; flow:established,from_server; content:"404"; http_stat_code; ...

Cheers,
Nathan





More information about the Snort-sigs mailing list