[Snort-sigs] SOLVED - Trouble with HTTP status message rule

Research research at ...4016...
Thu Mar 12 22:58:37 EDT 2015


On Mar 12, 2015, at 7:04 PM, Joel Esler (jesler) <jesler at ...3865...> wrote:

> Keep in mind from_server = to_client.
> 
> 
>> On Mar 12, 2015, at 6:02 PM, Research <research at ...4016...> wrote:
>> 
>> 
>> On Mar 12, 2015, at 5:57 PM, Research <research at ...4016...> wrote:
>> 
>>> Hello,
>>> 
>>> I am currently writing a rather basic rule to track 404 resource not found instances in Snort on a web server.  While I am aware that the logs for the web server process themselves track this, I’d like to generate a Snort rule that does the same for some testing.
>>> 
>>> Currently my rule is:
>>> 
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
>>>         
>>> (msg: "Web resource not found"; flow:established,to_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)
>>> 
>>> I have used the http_stat_code modifier for the content, but when I attempt to locate a non-existent resource:
>>> 
>>> http://mywebserver.com/notthere
>>> 
>>> …the rule does not fire.
>>> 
>>> I was wondering what I am missing.
>>> 
>>> Thanks
>> 
>> Discovered what I was doing wrong.  Should have been tracking this as a response *FROM* the server, not inbound traffic.
>> 
>> The following rule solves the problem:
>> 
>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any \
>>         
>> (msg: "Web resource not found"; flow:established,from_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)


Good point!

With the rule I also swapped the direction after the protocol:

	alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any \ (snip)

…instead of incoming traffic:

		alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \ (snip)

…and now the rule fires.	
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150312/d82b9bb3/attachment.html>


More information about the Snort-sigs mailing list