[Snort-users] Issue while detecting patterns in a simple HTTP Page [Web client based]

Sujit Ghosal thesujit at ...11827...
Sun Nov 21 23:57:19 EST 2010


Below is my snort rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HTTP Test Rule";
flow:established,to_client; content:"html"; nocase;
classtype:web-application-attack; reference:url,
www.exploit-db.com/exploits/999999; sid:9000; rev:1;)

And this is my snort.conf file entries: http://vim.pastey.net/143149

- Sujit

On Mon, Nov 22, 2010 at 6:43 AM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 11/21/2010 13:59, Sujit Ghosal wrote:
> > Hey Guys,
> >      I have installed Snort v2.8.x in FC-13//Ubuntu v10.10 and everything
> got
> > installed/configured (installed through Redhat Package Manager//Synaptic
> Package
> > Manager) successfully. But while writing a rule to detect a simple
> pattern
> > inside HTML body, snort is failing to do so! If I check for the HTTP MIME
> > headers only i.e. "Content-Type:", "Via:" etc. then snort detects those
> patterns
> > flawlessly. Even I wrote a simple rule to detect GET requests over
> $HTTP_PORTS
> > and its working fine.
>
> can you post the rule that you have that is not working??
>
> > But while it comes to check for the contents inside the HTML body (client
> side
> > web pages) entity then snort is not even detecting a single <html> tag. I
> guess,
> > its an issue with any preprocessors, but I have no idea that which
> preprocessor
> > could be creating such issues.
>
> we might need to see your snort.conf file, too... but let's look at your
> rule
> first ;)
>
> > I am fully stuck in that place and not able to figure out that how I
> should fix
> > this silly problem.
> >
> > Please help. Any help would be more appreciated.
>
> we will do what we can :)
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101122/dbdcde52/attachment.html>


More information about the Snort-users mailing list