Snort mailing list archives
Re: Content not being detected
From: Matt Olney <molney () sourcefire com>
Date: Mon, 9 Feb 2009 22:39:24 -0500
I'm not at work, but try changing the POST/depth combo to: content:"POST"; http_method; nocase; Matt On Mon, Feb 9, 2009 at 9:55 PM, Jimmy Tharel <jtharel () yahoo com> wrote:
I recently upgraded from Snort 2.6 to 2.8.3.1 and the following rule has
quit working.
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ALERT - POST -
Execution of asp"; flow:to_server,established; uricontent:"/ab/dir1/";
nocase; uricontent:".asp"; nocase; content: "POST"; depth: 4; nocase;
classtype:web-application-activity; sid:1000004; rev:2;)
It worked just fine in 2.6 but for whatever reason does not work in 2.8.3.1.
My http_inspect section of my snort.conf is the same in both versions:
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
Could it be the difference between the Stream4 and Stream5 preprocessor?
My Stream5 is configured with the defaults and the setup is:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
I've read over the Stream5 README but I don't see anything that would be
causing that rule not to work. I've played with the max_tcp and memcap
settings but to no avail. Can anybody help me?
Thanks!
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with
Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code
to
build responsive, highly engaging applications that combine the power of
local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content not being detected Jimmy Tharel (Feb 09)
- Re: Content not being detected Matt Olney (Feb 09)
- Re: Content not being detected Matt Olney (Feb 10)
- Re: Content not being detected Matt Olney (Feb 09)