Re: Trouble with HTTP status message rule

["lists () packetmail net" <lists () packetmail net>]

On 03/12/2015 04:57 PM, Research wrote:
> Currently my rule is:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
>         (msg: "Web resource not found";
> flow:established,to_server; content:"404"; http_stat_code; priority:4;
> sid:2000110; rev:001;)
>
> http://mywebserver.com/notthere
>
> …the rule does not fire.
>
> I was wondering what I am missing.

The direction of the rule seems wrong to me since the HTTPd would be going "HTTP
404" to the client.  I can't think of where the client would be sending an HTTP
Response code for an HTTP Request.  I think you want to flip it, and once you
do, it'll work.  Not sure why it fires in testing honestly unless you have '404'
somewhere in your HTTP Request...

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"Web resource not
found"; flow:established,from_server; content:"404"; http_stat_code; ...

Cheers,
Nathan


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!