Re: [Snort-users] uricontent error
This is a discussion on Re: [Snort-users] uricontent error within the Snort forums, part of the System Security and Security Related category; --Apple-Mail-3-277588469 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-15-2005
|
|||
|
|||
Re: [Snort-users] uricontent error
--Apple-Mail-3-277588469 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Uricontent by default will only read 300 bytes into a packet. (you =20 can configure this, but I recommend not) Since uricontent is really only good at the beginning of a session, =20 it's really handy for a initial GET request. My recommendation is that you use content, not uricontent. J On Sep 15, 2005, at 1:07 AM, Dario Alonso wrote: > Hi. > I'm trying a simple snort's rule with uricontent, and it doesn't =20 > capture nothing. > > My config file is this: > ------------------------------ > var HOME_NET 172.26.0.0/24 > var EXTERNAL_NET any > var HTTP_SERVERS 172.26.0.4 > var RULE_PATH c:\snort\rules > var HTTP_PORTS 80 > #preprocessor frag2 > preprocessor frag3_global: max_frags 65536 > preprocessor frag3_engine: policy first > detect_anomalies > preprocessor stream4: disable_evasion_alerts > preprocessor stream4_reassemble > > preprocessor http_inspect: global iis_unicode_map > unicode.map 1252 > preprocessor http_inspect_server: server default > profile all ports { 80 8080 8180 } oversize_dir_length > 500 > > include $RULE_PATH/rule1.txt > ------------------------------ > > An my rule1.txt is this: > ----------------------------- > alert tcp any any <> any any (uricontent:"search";) > alert tcp any any -> any any (uricontent:"exec"; ) > ----------------------------- > > I run snort in windows > snort -de -l c:\Snort\log -c c:\Snort\etc\snort.conf > And search the words exec or search in google, and... nothing at all. > > I was looking in the list's files, and I think everything it's ok > > Thanks > > > Correo Yahoo! > Comprueba qu=E9 es nuevo, aqu=ED > http://correo.yahoo.es --Apple-Mail-3-277588469 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=ISO-8859-1 <HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; = -khtml-line-break: after-white-space; ">Uricontent by default will only = read 300 bytes into a packet.=A0 (you can configure this, but I = recommend not)<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>Since = uricontent is really only good at the beginning of a session, it's = really handy for a=A0initial GET request.</DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>My recommendation is that = you use content, not uricontent.</DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV>J</DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV><BR = class=3D"khtml-block-placeholder"></DIV><DIV><DIV><DIV>On Sep 15, 2005, = at 1:07 AM, Dario Alonso wrote:</DIV><BR = class=3D"Apple-interchange-newline"><BLOCKQUOTE = type=3D"cite"><DIV><TT><FONT face=3D"Arial">Hi</FONT>.<BR>I'm trying a = simple snort's rule with uricontent, and it doesn't capture = nothing.</TT></DIV><TT> <DIV><BR>My config file is = this:<BR>------------------------------<BR>var HOME_NET = 172.26.0.0/24<BR>var EXTERNAL_NET any<BR>var HTTP_SERVERS = 172.26.0.4<BR>var RULE_PATH c:\snort\rules<BR>var HTTP_PORTS = 80<BR>#preprocessor frag2<BR>preprocessor frag3_global: max_frags = 65536<BR>preprocessor frag3_engine: policy = first<BR>detect_anomalies<BR>preprocessor stream4: = disable_evasion_alerts<BR>preprocessor = stream4_reassemble<BR><BR>preprocessor http_inspect: global = iis_unicode_map<BR>unicode.map 1252 <BR>preprocessor = http_inspect_server: server default<BR>profile all ports { 80 8080 8180 = } oversize_dir_length<BR>500<BR><BR>include = $RULE_PATH/rule1.txt<BR>------------------------------<BR><BR>An my = rule1.txt is this:<BR>-----------------------------<BR>alert tcp any any = <> any any (uricontent:"search";)<BR>alert tcp any any -> any = any (uricontent:"exec"; )<BR>-----------------------------<BR><BR>I run = snort in windows<BR>snort -de -l c:\Snort\log -c = c:\Snort\etc\snort.conf<BR> </DIV> <DIV>And search the words exec or = search in google, and... nothing at all.<BR><BR>I was looking in the = list's files, and I think everything it's ok</DIV> = </TT><DIV><TT><BR>Thanks</TT></DIV><DIV> <BR = class=3D"khtml-block-placeholder"></DIV><HR size=3D"1"><BR><FONT = face=3D"Verdana" size=3D"-2">Correo Yahoo!<BR>Comprueba qu=E9 es nuevo, = <A = href=3D"http://us.rd.yahoo.com/mail/es/whatsnew/*http://es.whatsnew.mail.y= ahoo.com/">aqu=ED</A><BR><A = href=3D"http://correo.yahoo.es">http://correo.yahoo.es</A></FONT></BLOCKQU= OTE></DIV><BR></DIV></BODY></HTML>= --Apple-Mail-3-277588469-- ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
