[Snort-users] [SUSPICIOUS] how to set paf_max unlimited to get all of the http response between <html> and </html> in single stream

Qasim Javed qasim.javed at ...17373...
Sat Dec 5 15:33:03 EST 2015


Thanks a lot. It worked for me.




Best Regards,

Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan



On 4 December 2015 at 19:54, Ronald Hill <ronald.hill at ...17380...>
wrote:

> Great knowledge share.  Thanks.
>
>
> *Ron Hill *
>
> SOC Analyst I
>
> Dunbar Security Solutions
>
> http://dunbarcybersecurity.com
>
>
>
>
>
> ------------------------------
> *From:* Al Lewis (allewi) <allewi at ...589...>
> *Sent:* Friday, December 4, 2015 9:09 AM
> *To:* Qasim Javed
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] [SUSPICIOUS] how to set paf_max unlimited to
> get all of the http response between <html> and </html> in single stream
>
>
> Hello,
>
>
>
>                 Have you tried using flowbits? You could try setting a
> flowbit if the first content is seen then create another rule to check for
> that flowbit and alert if the second content is there.
>
>
>
>
>
> http://manual.snort.org/node470.html
> flowbits - SNORT Users Manual 2.9.7
> General Format Up: Non-Payload Detection Rule Options Previous: Examples
> Contents flowbits The flowbits keyword is used in conjunction with
> conversation tracking from ...
> Read more... <http://manual.snort.org/node470.html>
>
>
>
>
>
> From the manual:
>
> “The flowbits keyword is used in conjunction with conversation tracking
> from the Stream preprocessor (see Section[*]). It allows rules to track
> states during a transport protocol session. The flowbits option is most
> useful for TCP sessions, as it allows rules to generically track the state
> of an application protocol”
>
>
>
>
>
>
>
> Checkout the README.flowbits for examples.
>
>
>
>
>
> Sample Rules
>
> ------------
>
> alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN";
> flowbits:set,logged_in;)
>
> alert tcp any any -> any 143 (msg:"IMAP lsub"; content:"LSUB";
> flowbits:isset,logged_in;)
>
> alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT LOGIN";
> content:"LIST"; flowbits:isnotset,logged_in;)
>
> alert tcp any any -> any any (msg:"JPG transfer"; content:".JPG"; nocase;
> flowbits:set,http.jpg,file_type;)
>
>
>
>
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* Qasim Javed [mailto:qasim.javed at ...17373...]
> *Sent:* Thursday, December 03, 2015 5:30 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [SUSPICIOUS] [Snort-users] how to set paf_max unlimited to get
> all of the http response between <html> and </html> in single stream
>
>
>
> Hi.
>
>    I have enabled TCP reassembly in snort.conf and have *set paf_max to
> 63780 *but my pcap to be analyzed contains response of bytes greater than
> 100000 and  we can find two contents which must come in 63780 but my
> *content_no.1* is in first *63780* and *content_no.2* is in 2nd chunk of
> bytes got after flushing.So my rule is not generating alert, how can i fix
> this issue and make it unlimited.
>
> I have attached *snort.conf*.
>
>
>
> Best Regards,
>
>
> Qasim Javed| Malware Researcher | Ebryx (Pvt.) Ltd. |
> Office #1, 4th Floor Arfa STP, 346-B Ferozpur Road Lahore, Pakistan
>
> [image: Image removed by sender.]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151206/b050994b/attachment.html>


More information about the Snort-users mailing list