Re: [Snort-users] uricontent questions
This is a discussion on Re: [Snort-users] uricontent questions within the Snort forums, part of the System Security and Security Related category; This is a multipart message in MIME format. --=_alternative 0080FA4187256FB8_= Content-Type: text/plain; charset="US-ASCII" I ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-03-2005
|
|||
|
|||
Re: [Snort-users] uricontent questions
This is a multipart message in MIME format.
--=_alternative 0080FA4187256FB8_= Content-Type: text/plain; charset="US-ASCII" I changed it to a more generic form. alert tcp any any <> any any (msg: "foo found"; uricontent:"foo"; nocase;) and it still does not trip an alert. Ideas? Brad Rothwell INL/ICP Cyber Security Matt Kettler <mkettler@evi-inc.com> Sent by: snort-users-admin@lists.sourceforge.net 03/02/2005 02:43 PM To Brad W Rothwell <ROTHBW@inel.gov>, snort-users@lists.sourceforge.net cc Subject Re: [Snort-users] uricontent questions At 02:54 PM 3/2/2005, Brad W Rothwell wrote: >All, I recently installed snort 2.3.0. My understanding is that I can >use uricontent to search for strings as they appear in the browser address >location bar. For example, if the address location is ><http://foo.com/>http://foo.com the following rule should alert. > >alert tcp any any <> $HTTP_SERVERS any (msg: "foo found"; >uricontent:"foo"; nocase;) > >I have http_inspect set to the following >preprocessor http_inspect: global \ > iis_unicode_map unicode.map 1252 > >preprocessor http_inspect_server: server default \ > profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0 > >The rule does not alert. Am I missing something. what is HTTP_SERVERS set to? The above rule will only alert if the server for foo.com is actualy a part of that net range. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --=_alternative 0080FA4187256FB8_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">I changed it to a more generic form. </font> <br><font size=2><tt>alert tcp any any <> any any (msg: "foo found"; <br> uricontent:"foo"; nocase;)</tt></font> <br><font size=2><tt>and it still does not trip an alert. Ideas?</tt></font> <br> <br><font size=2 face="sans-serif">Brad Rothwell<br> INL/ICP Cyber Security<br> </font> <br> <br> <br> <table width=100%> <tr valign=top> <td width=40%><font size=1 face="sans-serif"><b>Matt Kettler <mkettler@evi-inc.com></b> </font> <br><font size=1 face="sans-serif">Sent by: snort-users-admin@lists.sourceforge.net</font> <p><font size=1 face="sans-serif">03/02/2005 02:43 PM</font> <td width=59%> <table width=100%> <tr valign=top> <td> <div align=right><font size=1 face="sans-serif">To</font></div> <td><font size=1 face="sans-serif">Brad W Rothwell <ROTHBW@inel.gov>, snort-users@lists.sourceforge.net</font> <tr valign=top> <td> <div align=right><font size=1 face="sans-serif">cc</font></div> <td> <tr valign=top> <td> <div align=right><font size=1 face="sans-serif">Subject</font></div> <td><font size=1 face="sans-serif">Re: [Snort-users] uricontent questions</font></table> <br> <table> <tr valign=top> <td> <td></table> <br></table> <br> <br> <br><font size=2><tt>At 02:54 PM 3/2/2005, Brad W Rothwell wrote:<br> >All, I recently installed snort 2.3.0. My understanding is that I can <br> >use uricontent to search for strings as they appear in the browser address <br> >location bar. For example, if the address location is <br> ><http://foo.com/>http://foo.com the following rule should alert.<br> ><br> >alert tcp any any <> $HTTP_SERVERS any (msg: "foo found"; <br> >uricontent:"foo"; nocase;)<br> ><br> >I have http_inspect set to the following<br> >preprocessor http_inspect: global \<br> > iis_unicode_map unicode.map 1252<br> ><br> >preprocessor http_inspect_server: server default \<br> > profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0<br> ><br> >The rule does not alert. Am I missing something.<br> <br> <br> what is HTTP_SERVERS set to? The above rule will only alert if the server <br> for foo.com is actualy a part of that net range.<br> <br> <br> <br> <br> <br> -------------------------------------------------------<br> SF email is sponsored by - The IT Product Guide<br> Read honest & candid reviews on hundreds of IT Products from real users.<br> Discover which products truly live up to the hype. Start reading now.<br> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click<br> _______________________________________________<br > Snort-users mailing list<br> Snort-users@lists.sourceforge.net<br> Go to this URL to change user options or unsubscribe:<br> https://lists.sourceforge.net/lists/listinfo/snort-users<br> Snort-users list archive:<br> http://www.geocrawler.com/redir-sf.php3?list=snort-users<br> </tt></font> <br> --=_alternative 0080FA4187256FB8_=-- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
