Snort mailing list archives
Idea for http response code as flag.
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Wed, 23 Oct 2002 10:00:21 -0500
<This might actually get read if I send it with a subject line.> A group of us that use and monitor snort related stuff meets every so often to talk about 'stuff'... And though I think I've heard this before, I can't seem to find it. So here it is: It would be highly "COOL" if there were a flag that could be set within a rule that identified what type of response was returned from an HTTP daemon. This way, web rules would be able to have many false positives removed, since in the vast majority of cases an non OK (200) message would mean the attempt failed. I realize it may cause problems, because you're requiring the inspection of multiple packets... And some rules that have uricontent actually are responses from servers, so I'm not really sure how all that would work out at this point.... So a rule could be created as such: Original -> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:3;) New -> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; http-status-code:successful; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:3;) Possible groupings for different types of responses: 1. successful one of the 200's and possibly 300's 2. failure any 400 or 500 3. serverror any 500 4. bad any 400 5. redir any 300 (possibly excluding 304) 6. ok 200 (possibly all other 200s) Should probably also allow a comma seperated list of http status codes. And the name for it can easily be different (http-return-code, httpcode, httpreturn, httpstatus...) http://www.w3.org/Protocols/HTTP/HTRESP.html ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Idea for http response code as flag. Kreimendahl, Chad J (Oct 23)