Snort mailing list archives
Re: Can't generate alerts on HTTP GET attacks
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Tue, 8 Jul 2014 14:45:43 +0000
Another thing to note is that even though the double slash (//) should be removed, it would still function as it will be normalized to a single forward slash. If you were attempting to detect an actual double slash, you would need to use “http_raw_uri” instead of “http_uri”. Simon is also correct that the URI encoding in your rule will be normalized. -Nick From: Simon Wesseldine <simon.wesseldine () idappcom com<mailto:simon.wesseldine () idappcom com>> Date: Thursday, July 3, 2014 at 4:21 AM To: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: Re: [Snort-sigs] Can't generate alerts on HTTP GET attacks Hi Sabawoon, I notice from the rule you have written, that you have included the percent encoded characters (e.g. content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjwcom%2F ";) Depending on your configuration of Snort, the percent encoding is likely to be normalized and you should write your rule for the normalized version of the attack. Also check to make sure that "%2f%sf" is not being normalized to "/". Try changing you content matches to the normalized version (e.g. content:"|2f|index|2e|php|3f|keywords|3d|http|3a 2f 2f|revftdrcghjw|2e|com|2f|";) and let Snort do the work for you. If you wanted to be extra cautious, you could use pcre and write - pcre:"/\x2findex\x2ephp\x3fkeywords\x3dhttp(\x253a|\x3a)(\x252f|\x2f)?revftdrcghjw\x2ecom(\x25|\x2f)/i"; If this is not your intention, then maybe you should consider the keywords 'raw' in your matches. hope that helps. Best regards, Simon. Please join our new group on linkedin - IPS Security Rules (Snort & Suricata)
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Can't generate alerts on HTTP GET attacks Sabawoon Mageedzada (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Ryan (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Y M (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks rmkml (Jul 02)
- <Possible follow-ups>
- Re: Can't generate alerts on HTTP GET attacks Simon Wesseldine (Jul 03)
- Re: Can't generate alerts on HTTP GET attacks Nicholas Mavis (nmavis) (Jul 08)