<div dir="ltr">Hi,<div><br></div><div>I have a snort rule:<div><br><div>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely Successful Generic Phish 2016-09-23"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"clntnetid="; depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030; rev:1;)</div><div><br></div><div><span style="font-size:12.8px">The following event shouldn't trigger without a "clntnetid" in the string so it</span><br style="font-size:12.8px"><span style="font-size:12.8px">looks like some data isn't getting logged into the snort tables:</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">[1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23</span><br style="font-size:12.8px"><span style="font-size:12.8px">2016-11-07 04:26:06.103000-05:00 </span><a href="http://128.4.132.252:54862/" rel="noreferrer" target="_blank" style="font-size:12.8px">1.2.3.4:54862</a><span style="font-size:12.8px"> -> </span><a href="http://185.8.63.111/" rel="noreferrer" target="_blank" style="font-size:12.8px">185.8.63.111:80</a><br style="font-size:12.8px"><span style="font-size:12.8px">TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php</span><br style="font-size:12.8px"><span style="font-size:12.8px">HTTP/1.1::~~Host: www.anjo.lv::~~Content-Type:</span><br style="font-size:12.8px"><span style="font-size:12.8px">application/x-www-form-</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">urlencoded::~~Origin: null::~~Content-Length:</span><br style="font-size:12.8px"><span style="font-size:12.8px">143::~~Connection: keep-alive::~~Accept: text/h</span><br style="font-size:12.8px"><span style="font-size:12.8px">tml,application/xhtml+xml,</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">application/xml;q=0.9,*/*;q=0.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">8::~~User-Agent:</span><br style="font-size:12.8px"><span style="font-size:12.8px">Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X)</span><br style="font-size:12.8px"><span style="font-size:12.8px">AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70</span><br style="font-size:12.8px"><span style="font-size:12.8px">Safari/600.1.4::~~Accept-</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Language:</span><br style="font-size:12.8px"><span style="font-size:12.8px"> en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~</span></div><div><br></div><div>Other event that triggered this alert had "<span style="font-size:12.8px">clntnetid" in the data string.</span></div><div><span style="font-size:12.8px">Not sure if the events that are triggering this alert are having that string in data and snort is not logging it in database, or something is not correct with the rule that is causing it to trigger for the events NOT having that particular string in the data.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span class="gmail-il" style="font-size:12.8px">Snort version -</span><span style="font-size:12.8px"> 2.9.8.3</span><br></div><div><span style="font-size:12.8px">barnyard version - 2-1.9</span></div><div><span style="font-size:12.8px">pulledpork - 0.7.0</span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Did anyone knows what might be going on?</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Thanks,</span></div><div><span style="font-size:12.8px">Fatema.</span></div><div><span style="font-size:12.8px"><br></span></div><div><br style="font-size:12.8px"><div><br></div></div></div></div></div>