Snort mailing list archives
Re: Have I lost my mind?
From: Todd Wease <twease () sourcefire com>
Date: Wed, 13 Jan 2010 16:06:58 -0500
On 01/13/2010 11:29 AM, Paul Schmehl wrote:
I wrote a rule to see what a certain host was up to: alert tcp 95.211.27.211 any -> $HOME_NET any (msg:"Up to no good?"; classtype:web-application-activity; sid:1000174; re v:1;) That produced (among others) this packet: 000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 010 : 0A 53 65 72 76 65 72 3A 20 67 77 73 0D 0A 44 61 .Server: gws..Da 020 : 74 65 3A 20 54 75 65 2C 20 31 32 20 4A 61 6E 20 te: Tue, 12 Jan 030 : 32 30 31 30 20 30 36 3A 34 35 3A 30 38 20 47 4D 2010 06:45:08 GM 040 : 54 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A T..Content-Type: 050 : 20 74 65 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 6E text/html..Conn 060 : 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 58 ection: close..X 070 : 2D 50 6F 77 65 72 65 64 2D 42 79 3A 20 50 48 50 -Powered-By: PHP 080 : 2F 35 2E 32 2E 36 2D 31 2B 6C 65 6E 6E 79 34 0D /5.2.6-1+lenny4. 090 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: 0a0 : 20 31 32 30 0D 0A 0D 0A 33 43 33 45 37 41 36 45 120....3C3E7A6E 0b0 : 36 38 32 35 37 30 36 32 37 41 37 41 36 33 36 34 682570627A7A6364 0c0 : 36 32 33 30 32 43 33 45 33 45 32 31 33 30 33 33 62302C3E3E213033 0d0 : 37 31 37 42 37 35 37 38 37 43 37 30 37 34 37 43 717B75787C70747C 0e0 : 32 31 33 46 36 42 36 42 34 36 30 43 31 41 30 31 213F6B6B460C1A01 0f0 : 31 42 31 42 32 43 31 42 35 30 34 34 34 36 34 46 1B1B2C1B5044464F 100 : 34 44 35 39 34 46 31 31 33 41 30 44 31 44 34 42 4D594F113A0D1D4B 110 : 35 39 35 39 35 32 35 36 34 43 35 38 30 34 33 31 595952564C580431 Source address is 95.211.27.211. Source port is 80. So I wrote this rule: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Bredolab server ack"; flow:from_server,established; content:"Server: gws"; content:"X-Powered-By: P HP"; content:"+lenny4"; classtype:trojan-activity; sid:1000172; rev:1;) But it never triggered (even though the first rule continues to). So I altered it thus: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Bredolab server ack"; flow:from_server,established; uricontent:"Server: gws"; uricontent:"X-Powered-By: P HP"; uricontent:"+lenny4"; classtype:trojan-activity; sid:1000172; rev:2;) But it still didn't trigger, so I altered it again: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Bredolab server ack"; uricontent:"Server: gws"; uricontent:"X-Powered-By: PHP"; uricontent:"+lenny4"; classtype:trojan-activity; sid:1000172; rev:3;) But it still didn't trigger, so I altered it yet again: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Bredolab server ack"; content:"Server: gws"; content:"X-Powered-By: PHP"; content:"+lenny4"; classtype:trojan-activity; sid:1000172; rev:4;) It still doesn't trigger. Someone please enlighten me. What am I missing?
Most likely the issue is that you're specifying uricontent, when the contents are actually in the header. You should rather specify: content:"Server: gws"; http_header; etc. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Have I lost my mind? Paul Schmehl (Jan 13)
- Re: Have I lost my mind? Joel Esler (Jan 13)
- Re: Have I lost my mind? Paul Schmehl (Jan 13)
- Re: Have I lost my mind? Joel Esler (Jan 13)
- Re: Have I lost my mind? Paul Schmehl (Jan 13)
- Re: Have I lost my mind? Todd Wease (Jan 13)
- Re: Have I lost my mind? evilghost () packetmail net (Jan 13)
- Re: Have I lost my mind? David . R . Wharton (Jan 13)
- Re: Have I lost my mind? Todd Wease (Jan 13)
- Re: Have I lost my mind? Jason Haar (Jan 21)
- Re: Have I lost my mind? Paul Schmehl (Jan 13)
- Re: Have I lost my mind? Joel Esler (Jan 13)