[Snort-users] AW: (Snort-users) (no subject)

sandro.poppi at ...3316... sandro.poppi at ...3316...
Thu Jan 17 01:45:05 EST 2002


> Hello

Hi,

> I have some difficulties to write a rule that raise an alert
> for all cases
> except one.
>
> For instance : There is a rule in web-cgi.rules :
> it says :
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS,!212.180.75.34/32 80
> (msg:"WEB-CGI calendar access";flags:A+;
> uricontent:"/calendar"; nocase;
> classtype:attempted-recon; sid:882; rev:1;)
>
> BUT I have a site with a "Calendar.gif file" .  What I want
> is uricontent
> "/calendar" but NOT Calendar.gif
>
> In the same way there is a rule on Names.nsf , but Names.nsf?Login is
> Legal ( it is the Only legal access )

In such a case I would suggest to use a pass rule to filter that special
content, e.g.

pass tcp $EXTERNAL_NET any -> <ip of webserver> 80 (flags:A+;
uricontent:"/Calendar.gif"; case;)

Be as restrictive as you can when defining pass rules to not allow to pass
something which shouldn't pass!

Don't forget to restart snort with the -o option!

HTH,
Sandro





More information about the Snort-users mailing list