Snort mailing list archives
Re: shouldn't snort redefine uricontent to handle proxies?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 21 Sep 2009 15:05:00 +1200
On 09/21/2009 02:53 PM, Matt Olney wrote:
um......maybe I'm missing something...but a uircontent for /virus.exe will find /viruse.exe anywhere in the normalized buffer.
Ah - good. But it doesn't on my system :-) I tried telneting to the proxy and typed in "GET /bad.thing\r\nHost: bad.host\r\n\r\n" and had the following rule trigger, but if instead I did "curl -xproxy:3128 http://bad.host/bad.thing" it didn't trigger The rule I've been testing with is as follows, and HTTP_PORTS includes 3128: alert tcp $HOME_NET any -> proxy.ip $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker trojan proxy atiup runtime detection - notification"; flow:to_server,established; uricontent:"/devrandom/r.php"; nocase; uricontent:"i="; nocase; uricontent:"s="; nocase; uricontent:"o="; nocase; uricontent:"c="; nocase; uricontent:"v="; nocase; uricontent:"h="; nocase; uricontent:"l="; nocase; uricontent:"a="; nocase; uricontent:"ip="; nocase; uricontent:"win="; nocase; uricontent:"un="; nocase; uricontent:"x="; nocase; content:"Host|3A|"; nocase; content:"jupitersatellites.biz"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*jupitersatellites\x2Ebiz/smi"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_137129.htm; classtype:misc-activity; sid:7126; rev:2;) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Matt Olney (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Message not available
- Re: shouldn't snort redefine uricontent to handle proxies? Matt Olney (Sep 21)
- Re: shouldn't snort redefine uricontent to handle proxies? Jason Haar (Sep 20)
- Re: shouldn't snort redefine uricontent to handle proxies? Matt Olney (Sep 20)