Home page logo

snort logo Snort mailing list archives

Re: Linking this with that to create an alert
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 29 Jan 2014 09:46:51 -0700

On 2014-01-29 09:37, rmkml wrote:
Hi James,

First, thx you for your all share!

Please try with these two sigs,

first sig match /jquery on http_uri and set flowbits

second sig check flowbits before and after http reply with 

Don't remember adding flowbits:noalert; on first sig if it's work ;)

alert tcp any any -> any 80 (msg:"jquery uri flowbits";
flow:to_server,established; content:"/jquery"; nocase; http_uri;
flowbits:set,http.jquery; classtype:web-application-activity; sid:1;
rev:99;) # flowbits:noalert;

alert tcp any 80 -> any any (msg:"jquery uri with document.write
reply attempt"; flow:to_client,established;
flowbits:isset,http.jquery; file_data; content:"document.write";
distance:0; classtype:web-application-activity; sid:2; rev:99;)

Best Regards

On Wed, 29 Jan 2014, James Lay wrote:


In looking at:


I'm wondering if there's a way to, in plain English: "if I requested 
jquery named file, and that file contains a document.write, then 
Betting it's a flowbit thing, which I've not really used much.  Any
good resources that could assist with something like this?  Thanks.


Thanks RM...I'll give these a go in a bit and report my findings :)


WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]