Snort mailing list archives
(no subject)
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Tue, 22 Oct 2002 22:36:45 -0500
A group of us that use and monitor snort related stuff meets every so
often to talk about 'stuff'... And though I think I've heard this
before, I can't seem to find it. So here it is:
It would be highly "COOL" if there were a flag that could be set within
a rule that identified what type of response was returned from an HTTP
daemon. This way, web rules would be able to have many false positives
removed, since in the vast majority of cases an non OK (200) message
would mean the attempt failed. I relize it may cause problems, because
you're requiring the inspection of multiple packets... And some rules
that have uricontent actually are responses from servers, so I'm not
really sure how all that would work out at this point....
So a rule could be created as such:
Original ->
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar-admin.pl access"; flow:to_server,established;
uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215;
classtype:web-application-activity; sid:1701; rev:3;)
New ->
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar-admin.pl access"; flow:to_server,established;
uricontent:"/calendar-admin.pl"; nocase; http-status-code:successful;
reference:bugtraq,1215; classtype:web-application-activity; sid:1701;
rev:3;)
Possible groupings for different types of responses:
1. successful
one of the 200's and possibly 300's
2. failure
any 400 or 500
3. serverror
any 500
4. bad
any 400
5. redir
any 300 (possibly excluding 304)
6. ok
200 (possibly all other 200s)
Should probably also allow a comma seperated list of http status codes.
And the name for it can easily be different (http-return-code, httpcode,
httpreturn, httpstatus...)
http://www.w3.org/Protocols/HTTP/HTRESP.html
-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject), (continued)
- (no subject) counterping (Oct 08)
- Re: (no subject) Matt Kettler (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
- Re: (no subject) hackerwacker (Oct 14)
- Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
- Re: (no subject) Erek Adams (Oct 27)
- (no subject) Philippe Dhont (Sea-ro) (Nov 18)
- Re: (no subject) Xavi Altafulla (Nov 18)
- (no subject) counterping (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- Error using the -T option Mike Koponick (Dec 10)
- Re: Error using the -T option Erick Mechler (Dec 10)
- RE: Error using the -T option Mike Koponick (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- (no subject) counterping (Oct 08)