Snort mailing list archives
Re: Hi all! (and a snort sig question)
From: Rob Vandenbrink via Snort-sigs <snort-sigs () lists snort org>
Date: Sun, 6 Oct 2024 22:58:05 +0000
Looking closer at the packets, there's (of course) no SNI field when browsing by IP Trying a different approach now From: Snort-sigs <snort-sigs-bounces () lists snort org> On Behalf Of Rob Vandenbrink via Snort-sigs Sent: Thursday, October 3, 2024 5:45 PM To: snort-sigs () lists snort org Subject: [Snort-sigs] Hi all! (and a snort sig question) Hi everyone - long time snort user / new to this list though I'm trying to build a signature that triggers on a user browsing by IP address (instead of by fqdn or cn). So it would be fine with "https://www.cisco.com"; but trigger on "https://23.56.210.155"; (or whatever cisco resolves to that day) So far I have this: alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \ msg:"BROWSER OTHER alert on direct ip browsing"; \ content:"."; \ http_raw_uri:host; \ pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; \ ssl_state:client_hello; \ sid:1000010; \ rev:33; \ gid:1; \ priority:4; \ classtype:unknown; \ ) No joy on this at all - it reads fine into the config, but never fires. I think this is a basic misunderstanding on how to chain the field, the content and the pcre statement together. They only parse if they're in this order, but I have no clue how to get one line to relate to the next (the content line seems extraneous to me) If there was a decent reference website I'd go there, but most either document everything discretely (rather than in combination), or have really basic examples ... If anyone has good thoughts on this, beverages are on me if you are ever at a SANSFIRE or SECTOR conference (or are in Ontario Canada near me). (and yes, when all is done I can play with http_uri and raw_uri to see which works best for evasive encoding) ============== Rob VandenBrink 519-589-1881
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 04)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 07)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 08)
- Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Al Lewis (allewi) via Snort-sigs (Oct 10)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 08)
- Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 07)