[Snort-users] [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream
ronald.hill at ...17380...
Fri Dec 4 09:54:42 EST 2015
Great knowledge share. Thanks.
SOC Analyst I
Dunbar Security Solutions
From: Al Lewis (allewi) <allewi at ...589...>
Sent: Friday, December 4, 2015 9:09 AM
To: Qasim Javed
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream
Have you tried using flowbits? You could try setting a flowbit if the first content is seen then create another rule to check for that flowbit and alert if the second content is there.
flowbits - SNORT Users Manual 2.9.7
General Format Up: Non-Payload Detection Rule Options Previous: Examples Contents flowbits The flowbits keyword is used in conjunction with conversation tracking from ...
>From the manual:
"The flowbits keyword is used in conjunction with conversation tracking from the Stream preprocessor (see Section[*]). It allows rules to track states during a transport protocol session. The flowbits option is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol"
Checkout the README.flowbits for examples.
alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in;)
alert tcp any any -> any 143 (msg:"IMAP lsub"; content:"LSUB"; flowbits:isset,logged_in;)
alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT LOGIN"; content:"LIST"; flowbits:isnotset,logged_in;)
alert tcp any any -> any any (msg:"JPG transfer"; content:".JPG"; nocase; flowbits:set,http.jpg,file_type;)
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...
From: Qasim Javed [mailto:qasim.javed at ...17373...]
Sent: Thursday, December 03, 2015 5:30 AM
To: snort-users at lists.sourceforge.net
Subject: [SUSPICIOUS] [Snort-users] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream
I have enabled TCP reassembly in snort.conf and have set paf_max to 63780 but my pcap to be analyzed contains response of bytes greater than 100000 and we can find two contents which must come in 63780 but my content_no.1 is in first 63780 and content_no.2 is in 2nd chunk of bytes got after flushing.So my rule is not generating alert, how can i fix this issue and make it unlimited.
I have attached snort.conf.
Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan
[Image removed by sender.]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users