[Snort-users] Help with a rule

Luis Daniel Lucio Quiroz luis.daniel.lucio at ...11827...
Fri Mar 6 13:22:42 EST 2009


Thx

However I apply the rule:

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type 
detected in web traffic"; flow:established,from_server; content:"Content-Type 
|3A| text/"; nocase; sid:1000001; rev:1; \
 classtype:web-application-activity;)

I got

ERROR: Warning: rules/local.rules(10) => Unknown keyword ' sid' in rule!
Fatal Error, Quitting..


What I missing?  regards,

LD


On Friday 06 March 2009 08:12:54 Alex Kirk wrote:
> First of all, depending on just how much you want to log, going with
> "alert" instead of "log" and skipping the "tag:session;" may be smart - it
> would be easy to overload your IDS with this if it's not very powerful, or
> if it's attempting to do anything else.
>
> That said, the rule you'd want for a purpose like this - which I'm sure you
> realize is only stopgap, since it's really the web app's job to be doing
> logging like this - would look more like:
>
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg"text mime type
> detected in web traffic"; flow:established,from_server;
> content:"Content-Type|3A| text/"; nocase;
> classtype:web-application-activity; sid:1000001; rev:1;)
>
> Key differences:
>
> * $HTTP_PORTS is actually a default Snort variable, as opposed to
> $PORT_HTTP * Since the Content-Type header will be present in things coming
> *from* the web server, and not going to it, the direction is set properly
> now * "flow:established,from_server"; will save Snort a lot of work looking
> at packets that will never match, based on them being in the wrong part of
> the TCP stream
> * The "|3A|" in the content is necessary, because a colon in a content
> clause will cause a syntax error
> * Removed "http_header", since it's for client requests, and you're looking
> for server responses
> * Removed quotes from the classtype, as that's another fatal syntax error
>
> Hope that helps.
>
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
>
> On Thu, Mar 5, 2009 at 11:21 PM, Frank Knobbe <frank at ...9761...> wrote:
> > On Thu, 2009-03-05 at 21:38 -0600, Paul Schmehl wrote:
> > > > Logs al http packets that has a text/* mime type.
> > >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime
> > > type detected in web traffic"; content:"Content-Type: text/";
> > > http_header; classtype:"web-application-activity"; sid:1000001; rev:1;)
> >
> > Does it capture all packets? Does it log? (Your rule alerts)
> >
> > Strictly speaking, you probably would want to use the following
> > modifications for his specific need:
> >
> > log tcp any any -> any $PORT_HTTP (msg:"text mime type
> > detected in web traffic"; content:"Content-Type: text/"; http_header;
> > classtype:"web-application-activity"; sid:1000001; rev:1; tag:session;)
> >
> > :)
> >
> > Cheers,
> > Frank
> >
> >
> >
> > -------------------------------------------------------------------------
> >----- Open Source Business Conference (OSBC), March 24-25, 2009, San
> > Francisco, CA
> > -OSBC tackles the biggest issue in open source: Open Sourcing the
> > Enterprise
> > -Strategies to boost innovation and cut costs with open source
> > participation
> > -Receive a $600 discount off the registration fee with the source code:
> > SFAD
> > http://p.sf.net/sfu/XcvMzF8H
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASn
> >ort-users>list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list