[Snort-users] URI content not being identified

Jelte masterjel5000 at ...125...
Thu May 8 13:27:01 EDT 2014


You said:

/Changing the "content:" to "uricontent" or "http_uri" should not work. 
The "content" keyword allows you to search for a string pattern, in your
case "/test.php". Content modifiers on the other hand apply to your
content. So to have your rule corrected try something like://
//content:"/test.php"; http_uri;/

I am aware that I should place /http_uri; /separate from the content
specification, but this doesn't work. Also I see no reason why replacing
"content" with "uricontent" should not work, because as the official
Snort documentation says: "This is equivalent to using the http_uri
modifier to a content keyword." (refer to
http://manual.snort.org/node385.html).

You also said:

/I would also add flow direction in the rule: flow:to_server,
established for example, depending on the direction of the traffic
(3-way handshake)./

I agree that this is a preferable addition in order to fine-tune the
rule, but adding this makes no difference when I have
/'//content:"/test.php"; http_uri;/' in my rule, i.e. it still does not
trigger an alert. This also seems logical because it only applies an
additional filter.

Nonetheless, thanks for your suggestions! I still hope someone is able
to help me with this :-)

Y M schreef op 5/8/2014 6:06 PM:
>> Date: Thu, 8 May 2014 17:44:34 +0200
>> From: masterjel5000 at ...125...
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] URI content not being identified
>>
>> Hello all,
>>
>> I have the following Snort rule:
>>
>> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "HTTP content test";
>> content: "test.php"; classtype:web-application-attack; sid:5000001; rev:1;)
>>
>> Now when I visit mysite.com/test.php an alert is correctly generated.
>> However, as soon as I change "content" to "uricontent", or add
>> "http_uri;" before the "classtype", no alert is generated. I analyzed
>> the traffic using tshark and I can see requests to "test.php" coming
>> through. Do you know any step I could take that may help to identify
>> what is causing this?
> Changing the "content:" to "uricontent" or "http_uri" should not work.  The "content" keyword allows you to search for a string pattern, in your case "/test.php". Content modifiers on the other hand apply to your content. So to have your rule corrected try something like:
> content:"/test.php"; http_uri;
> I would also add flow direction in the rule: flow:to_server, established for example, depending on the direction of the traffic (3-way handshake).
>> Thanks!
>>
>> ------------------------------------------------------------------------------
>> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
>> • 3 signs your SCM is hindering your productivity
>> • Requirements for releasing software faster
>> • Expert tips and advice for migrating your SCM now
>> http://p.sf.net/sfu/perforce
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>  		 	   		  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140508/4c58549a/attachment.html>


More information about the Snort-users mailing list