Home page logo

snort logo Snort mailing list archives

Re: Rules with options like http_uri of flow
From: rmkml <rmkml () yahoo fr>
Date: Tue, 17 Dec 2013 22:11:41 +0100 (CET)

Hi Onno,

Could you check when disable cksum verification please ? (-k none)


On Tue, 17 Dec 2013, onno () b00z nl wrote:


I've some, at least for me, weird behaviour with snort rules. I already
reinstalled every thing 3 times, but still haven't it to work.
The sensor is passive and connected to a switch monitor port. I'm testing
the setup for monitoring both in- and outbound traffic, so I configured
both HOME_NET and EXTERNAL_NET with any.

While I was testing, I discovered that I was unable to fire some rules. So
I created the following test rules:

This one is working when requesting an URL like http://<hostname>/blaat.txt
test rule blaat.txt"; content:"GET /blaat.txt"; nocase; metadata:ruleset
community, service http; classtype:web-application-attack; sid:1002;

This rule is derived from an existing one. But the modified existing one
has also the following options:
flow:to_server,established; and/or http_uri;
But as soon as I add one of those options, the rule won't fire. And
because of that I think that there might be something wrong with my setup
and that it won't hit on other rules also.

This is an example of a rule that won't fire:
test rule blaat.txt"; flow:to_server,established; content:"GET
/blaat.txt"; nocase; metadata:ruleset community, service http;
classtype:web-application-attack; sid:1002; rev:18;)

Even without the flow option and with http_uri, it does not work.

Any insight would be great.

Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]