[Snort-users] Reg: Snort Rule for HTTP traffic

Ravi Menon ravi.menon at ...17135...
Tue Apr 7 10:26:15 EDT 2015



I have been struggling with a particular rule for some time now and was
hoping for some ideas to resolve my problem.


Here is what I wish to achieve:


If any IP's outside my $HOME_NET initiates HTTP communication with my
$HTTP_SERVERS server, I want an alert to be generated for the same and the
HTTP request dumped as well so that I can review it later.


Here is what I am doing currently (preprocessor rule):


alert tcp !$HOME_NET any ->  $HTTP_SERVERS $HTTP_PORTS (msg: "Detected
Traffic "; flow:to_server,established; sid: 1000001; rev:1; metadata:
service http; session: printable;)


I have the stream5 , http_inspect preprocessors configured in snort.conf

What this does is although it generates alert correctly and prints the HTTP
session for requests coming from outside $HOME_NET , it is also printing the
HTTP session for traffic from within my $HOME_NET server ip's , so basically
all HTTP traffic is being dumped at this point. I am using a /24 mask for
$HOME_NET and /32 mask for my $HTTP_SERVERS.

Is there something I am missing ? Or will another approach help?

Any help/guidance will be greatly appreciated.



Ravi Menon

CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains confidential information belonging to the sender that is legally privileged and proprietary and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150407/0049bdd5/attachment.html>

More information about the Snort-users mailing list