[Snort-users] Content not being detected

Matt Olney molney at ...1935...
Mon Feb 9 22:39:24 EST 2009


I'm not at work, but try changing the POST/depth combo to:

content:"POST"; http_method; nocase;

Matt

On Mon, Feb 9, 2009 at 9:55 PM, Jimmy Tharel <jtharel at ...131...> wrote:
> I recently upgraded from Snort 2.6 to 2.8.3.1 and the following rule has
> quit working.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT - POST -
> Execution of asp"; flow:to_server,established; uricontent:"/ab/dir1/";
> nocase; uricontent:".asp"; nocase; content: "POST"; depth: 4; nocase;
> classtype:web-application-activity; sid:1000004; rev:2;)
>
> It worked just fine in 2.6 but for whatever reason does not work in 2.8.3.1.
>
> My http_inspect section of my snort.conf is the same in both versions:
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> Could it be the difference between the Stream4 and Stream5 preprocessor?
> My Stream5 is configured with the defaults and the setup is:
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>
> I've read over the Stream5 README but I don't see anything that would be
> causing that rule not to work. I've played with the max_tcp and memcap
> settings but to no avail. Can anybody help me?
>
> Thanks!
>
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills and code
> to
> build responsive, highly engaging applications that combine the power of
> local
> resources and data with the reach of the web. Download the Adobe AIR SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list