Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_header

From: "Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com>
Date: Sat, 16 Jan 2010 00:40:46 -0200
I just tested your rule and work fine

root@notsecure:/etc/snort# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 (Build 114)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

root@notsecure:/etc/snort#


root@notsecure:/etc/snort# snort -c snort-localrules.conf -A console -K none
-q

01/16-00:32:29.872188  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:56345 -> 65.55.12.249:80
01/16-00:32:30.097842  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:56345 -> 65.55.12.249:80
01/16-00:32:30.375011  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:42317 -> 201.6.1.142:80
01/16-00:32:30.379649  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:42318 -> 201.6.1.142:80


Snort 2.8.6beta has more features but you don't need it for this rule.

How are you starting your snort ?


Regards,


On Fri, Jan 15, 2010 at 6:37 PM, Mike Messick <
mikem () tridigitalenterprises com> wrote:


Hi Folks,

I'm trying to write some rules that will alert whenever a specific http
host is requested by a client.  For example:

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to
www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase;
sid:3000004;)

However I cannot get this rule to alert.  What am I doing wrong?

I did notice this in the release notes for 2.8.6 Beta:
[*] New Additions
  * HTTP Inspect now splits requests into 5 components -
    Method, URI, Header (non-cookie), Cookies, Body.
    Content and PCRE rule options can now search one or more of these

I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta?

Any help will be most appreciated.

Thanks,
-Mike.



------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security's most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: