Home page logo
/

snort logo Snort mailing list archives

Re: Issue while detecting patterns in a simple HTTP Page [Web client based]
From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 22 Nov 2010 08:32:28 -0500

This is most likely an issue with your server_flow_depth variable, which
controls the amount of payload being returned from a web server that is
inspected by Snort. By default, it's set to 300 bytes - generally enough to
get the HTTP headers and not a great deal else. You can up the value as
desired, including setting it to 0 if you want to inspect everything that's
returned from a web server. Note that, if you do and you're on a busy
network, you may see some performance issues - HTTP traffic is generally
around 90% of what you get on a standard Internet connection, and what comes
down from servers is generally 90% or so of that traffic. Of course, if
you're a home user or a SMB, you'll probably be fine, assuming you're
running on a decent, modern box.

On Sun, Nov 21, 2010 at 11:57 PM, Sujit Ghosal <thesujit () gmail com> wrote:

Below is my snort rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"HTTP Test Rule";
flow:established,to_client; content:"html"; nocase;
classtype:web-application-attack; reference:url,
www.exploit-db.com/exploits/999999; sid:9000; rev:1;)

And this is my snort.conf file entries: http://vim.pastey.net/143149

- Sujit


On Mon, Nov 22, 2010 at 6:43 AM, waldo kitty <wkitty42 () windstream net>wrote:

On 11/21/2010 13:59, Sujit Ghosal wrote:
Hey Guys,
     I have installed Snort v2.8.x in FC-13//Ubuntu v10.10 and
everything got
installed/configured (installed through Redhat Package Manager//Synaptic
Package
Manager) successfully. But while writing a rule to detect a simple
pattern
inside HTML body, snort is failing to do so! If I check for the HTTP
MIME
headers only i.e. "Content-Type:", "Via:" etc. then snort detects those
patterns
flawlessly. Even I wrote a simple rule to detect GET requests over
$HTTP_PORTS
and its working fine.

can you post the rule that you have that is not working??

But while it comes to check for the contents inside the HTML body
(client side
web pages) entity then snort is not even detecting a single <html> tag.
I guess,
its an issue with any preprocessors, but I have no idea that which
preprocessor
could be creating such issues.

we might need to see your snort.conf file, too... but let's look at your
rule
first ;)

I am fully stuck in that place and not able to figure out that how I
should fix
this silly problem.

Please help. Any help would be more appreciated.

we will do what we can :)


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault