[Snort-users] Issue while detecting patterns in a simple HTTP Page [Web client based]

Alex Kirk akirk at ...1935...
Mon Nov 22 08:32:28 EST 2010


This is most likely an issue with your server_flow_depth variable, which
controls the amount of payload being returned from a web server that is
inspected by Snort. By default, it's set to 300 bytes - generally enough to
get the HTTP headers and not a great deal else. You can up the value as
desired, including setting it to 0 if you want to inspect everything that's
returned from a web server. Note that, if you do and you're on a busy
network, you may see some performance issues - HTTP traffic is generally
around 90% of what you get on a standard Internet connection, and what comes
down from servers is generally 90% or so of that traffic. Of course, if
you're a home user or a SMB, you'll probably be fine, assuming you're
running on a decent, modern box.

On Sun, Nov 21, 2010 at 11:57 PM, Sujit Ghosal <thesujit at ...11827...> wrote:

> Below is my snort rule:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HTTP Test Rule";
> flow:established,to_client; content:"html"; nocase;
> classtype:web-application-attack; reference:url,
> www.exploit-db.com/exploits/999999; sid:9000; rev:1;)
>
> And this is my snort.conf file entries: http://vim.pastey.net/143149
>
> - Sujit
>
>
> On Mon, Nov 22, 2010 at 6:43 AM, waldo kitty <wkitty42 at ...14940...>wrote:
>
>> On 11/21/2010 13:59, Sujit Ghosal wrote:
>> > Hey Guys,
>> >      I have installed Snort v2.8.x in FC-13//Ubuntu v10.10 and
>> everything got
>> > installed/configured (installed through Redhat Package Manager//Synaptic
>> Package
>> > Manager) successfully. But while writing a rule to detect a simple
>> pattern
>> > inside HTML body, snort is failing to do so! If I check for the HTTP
>> MIME
>> > headers only i.e. "Content-Type:", "Via:" etc. then snort detects those
>> patterns
>> > flawlessly. Even I wrote a simple rule to detect GET requests over
>> $HTTP_PORTS
>> > and its working fine.
>>
>> can you post the rule that you have that is not working??
>>
>> > But while it comes to check for the contents inside the HTML body
>> (client side
>> > web pages) entity then snort is not even detecting a single <html> tag.
>> I guess,
>> > its an issue with any preprocessors, but I have no idea that which
>> preprocessor
>> > could be creating such issues.
>>
>> we might need to see your snort.conf file, too... but let's look at your
>> rule
>> first ;)
>>
>> > I am fully stuck in that place and not able to figure out that how I
>> should fix
>> > this silly problem.
>> >
>> > Please help. Any help would be more appreciated.
>>
>> we will do what we can :)
>>
>>
>> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today
>> http://p.sf.net/sfu/msIE9-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101122/d6966512/attachment.html>


More information about the Snort-users mailing list