[Snort-users] URI content not being identified

Jelte masterjel5000 at ...125...
Fri May 9 14:30:54 EDT 2014


The rules you provided do not work on my setup: I don't get any alert.
Maybe it's interesting to note that when I change "uricontent" to
"content" in the third and fourth rule and subsequently restart Snort
and go to mysite.com/test.php, the fourth rule generates an alert, but
the third does not. The only difference between the third and the fourth
rule is that the third rule contains "flow:to server,established;",
which apparently can also not be checked by my system. So all three
"uricontent", adding "http_uri;" after the content specification and
"flow:to server,established;" do not work here. I'm really eager to
solve the problem, so if you know any step I could take, please let me
know! I could also provide additional data if you need it.

Thanks!

Y M schreef op 5/8/2014 8:14 PM:
>> Also I see no reason why replacing "content" with "uricontent" should not work, because as the official Snort documentation says: "This is equivalent to using the http_uri modifier to a content keyword." (refer to http://manual.snort.org/node385.html).
> Re-reading your email and my reply I realize I got this one completely backwards :), sorry about that.
>> I agree that this is a preferable addition in order to fine-tune the rule, but adding this makes no difference when I have 'content:"/test.php"; http_uri;' in my rule, i.e. it still does not trigger an alert. This also seems logical because it only applies an additional filter.
> Flow direction matters since Snort keeps track of the session, and should reflect the direction you are trying to match. I forgot to mention that you also need to define the state of your flow (established, stateless, etc). Without  a packet capture and your configuration it is difficult for me to see what you are trying to accomplish. That said, I setup a quick web server and tested the following rules, they all worked:
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"test"; flow:to_server,established; content:"/test.php"; http_uri; classtype:unknown; sid:99000001; rev:1;)alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"test"; flow:to_server; content:"/test.php"; http_uri; classtype:unknown; sid:99000002; rev:1;)alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"test"; flow:to_server,established; uricontent:"/test.php"; classtype:unknown; sid:99000003; rev:1;)alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"test"; uricontent:"/test.php"; classtype:unknown; sid:99000004; rev:1;)
> YM
> Date: Thu, 8 May 2014 19:27:01 +0200
> From: masterjel5000 at ...125...
> To: snort at ...15979...
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] URI content not being identified
>
>
>   
>     
>   
>   
>     You said:
>
>       
>
>       Changing the "content:" to "uricontent" or "http_uri" should
>         not work.  The "content" keyword allows you to search for a
>         string pattern, in your case "/test.php". Content modifiers on
>         the other hand apply to your content. So to have your rule
>         corrected try something like:
>
>       content:"/test.php"; http_uri;
>
>       
>
>       I am aware that I should place http_uri; separate from
>       the content specification, but this doesn't work. Also I see no
>       reason why replacing "content" with "uricontent" should not work,
>       because as the official Snort documentation says: "This is
>       equivalent to using the http_uri modifier to a content keyword."
>       (refer to http://manual.snort.org/node385.html).
>
>       
>
>       You also said:
>
>       
>
>       I would also add flow direction in the rule: flow:to_server,
>         established for example, depending on the direction of the
>         traffic (3-way handshake).
>
>       
>
>       I agree that this is a preferable addition in order to fine-tune
>       the rule, but adding this makes no difference when I have 'content:"/test.php";
>         http_uri;' in my rule, i.e. it still does not trigger an
>       alert. This also seems logical because it only applies an
>       additional filter.
>
>       
>
>       Nonetheless, thanks for your suggestions! I still hope someone is
>       able to help me with this :-)
>
>       
>
>       Y M schreef op 5/8/2014 6:06 PM:
>
>     
>     
>       
>         Date: Thu, 8 May 2014 17:44:34 +0200
> From: masterjel5000 at ...125...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] URI content not being identified
>
> Hello all,
>
> I have the following Snort rule:
>
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "HTTP content test";
> content: "test.php"; classtype:web-application-attack; sid:5000001; rev:1;)
>
> Now when I visit mysite.com/test.php an alert is correctly generated.
> However, as soon as I change "content" to "uricontent", or add
> "http_uri;" before the "classtype", no alert is generated. I analyzed
> the traffic using tshark and I can see requests to "test.php" coming
> through. Do you know any step I could take that may help to identify
> what is causing this?
>
>       
>       Changing the "content:" to "uricontent" or "http_uri" should not work.  The "content" keyword allows you to search for a string pattern, in your case "/test.php". Content modifiers on the other hand apply to your content. So to have your rule corrected try something like:
> content:"/test.php"; http_uri;
> I would also add flow direction in the rule: flow:to_server, established for example, depending on the direction of the traffic (3-way handshake).
>
>       
>         Thanks!
>
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
> • 3 signs your SCM is hindering your productivity
> • Requirements for releasing software faster
> • Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>       
>        		 	   		  
>
>     
>     
>  		 	   		  





More information about the Snort-users mailing list