[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Can't generate snort alerts with GET HTTP using pcre.
From: "Simon Wesseldine" <simon.wesseldine () idappcom ! com>
Date: 2014-08-04 8:56:15
Message-ID: 002d01cfafc1$f3ccd4f0$db667ed0$ () wesseldine () idappcom ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Sabawoon,
I shall try and help you with your question, but it looks like you have a
number of issues with your rules that are causing you problems. The main
advice I would like to offer you is:
1. When using the http_method keyword, it must come immediately after
the content match you wish for it to operate on. e.g. content:"GET";
http_method;
2. Some characters within pcre matches must be escaped with a
backslash for them to operate as you would want, e.g. the period (.) is a
wildcard in pcre if not escaped correctly (\.).
3. Your pcre match ^[a-zA-Z]+$ is looking for a string of characters
from the start of a line to the finish of a line. This will not match on a
uri, because the uri will include spaces ( HTTP/1.1). Also remember that the
repetition characters (+*) are greedy by default in Snort.
If you are trying to raise an alert for every event that is NOT a match,
then you can use negated content or pcre matches, e.g. content:!"string"; OR
pcre:!"/string/si"; . But what I think you are trying to achieve is, that
within character classes you can also use the caret to negate a match, e.g.
[^a-zA-Z]. It goes within the square brackets.
I would try something like this for what you describe:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a
number passed to the id parameter"; flow:to_server,established;
content:"GET"; http_method; content:"|2f|city|2e|php|3f|"; nocase;
pcre:"/id\x3d[0-9]*?[^0-9]/is"; classtype:web-application-attack;
sid:1000000; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a
string passed to the city parameter"; flow:to_server,established;
content:"GET"; http_method;
content:"|2f|current|5f|time|5f|in|5f|AF|2e|aspx|3f|"; nocase;
pcre:"/city\x3d[a-zA-Z]*?[^a-zA-Z]/is"; classtype:web-application-attack;
sid:1000000; rev:1;)
Best regards,
Simon.
Join our New Group on LinkedIn - "IPS Security Rules (Snort & Suricata)"
Custom Snort rules made easy -
http://www.ipssecurityrules.co.uk/products/easy_rules_creator.php
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing
{mso-style-priority:1;
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2012565548;
mso-list-type:hybrid;
mso-list-template-ids:27403000 134807567 134807577 134807579 134807567 134807577 \
134807579 134807567 134807577 134807579;} @list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div \
class=WordSection1><p class=MsoNoSpacing>Hi Sabawoon,<o:p></o:p></p><p \
class=MsoNoSpacing><o:p> </o:p></p><p class=MsoNoSpacing>I shall try and help \
you with your question, but it looks like you have a number of issues with your rules \
that are causing you problems. The main advice I would like to offer you \
is:<o:p></o:p></p><p class=MsoNoSpacing><o:p> </o:p></p><p class=MsoNoSpacing \
style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if \
!supportLists]><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New \
Roman"'> </span></span><![endif]>When using the \
http_method keyword, it must come immediately after the content match you wish for it \
to operate on. e.g. content:"GET"; http_method;<o:p></o:p></p><p \
class=MsoNoSpacing style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 \
lfo1'><![if !supportLists]><span style='mso-list:Ignore'>2.<span style='font:7.0pt \
"Times New Roman"'> </span></span><![endif]>Some \
characters within pcre matches must be escaped with a backslash for them to operate \
as you would want, e.g. the period (.) is a wildcard in pcre if not escaped correctly \
(\.).<o:p></o:p></p><p class=MsoNoSpacing \
style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if \
!supportLists]><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New \
Roman"'> </span></span><![endif]>Your pcre match \
^[a-zA-Z]+$ is looking for a string of characters from the start of a line to the \
finish of a line. This will not match on a uri, because the uri will include spaces ( \
HTTP/1.1). Also remember that the repetition characters (+*) are greedy by \
default in Snort.<o:p></o:p></p><p class=MsoNoSpacing><o:p> </o:p></p><p \
class=MsoNoSpacing>If you are trying to raise an alert for every event that is NOT a \
match, then you can use negated content or pcre matches, e.g. \
content:!"string"; OR pcre:!"/string/si"; . But what I think you \
are trying to achieve is, that within character classes you can also use the caret to \
negate a match, e.g. [^a-zA-Z]. It goes within the square brackets.<o:p></o:p></p><p \
class=MsoNoSpacing><o:p> </o:p></p><p class=MsoNoSpacing>I would try something \
like this for what you describe:<o:p></o:p></p><p \
class=MsoNoSpacing><o:p> </o:p></p><p class=MsoNoSpacing>alert tcp $EXTERNAL_NET \
any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a number passed to the id \
parameter"; flow:to_server,established; content:"GET"; http_method; \
content:"|2f|city|2e|php|3f|"; nocase; \
pcre:"/id\x3d[0-9]*?[^0-9]/is"; classtype:web-application-attack; \
sid:1000000; rev:1;)<o:p></o:p></p><p class=MsoNoSpacing><o:p> </o:p></p><p \
class=MsoNoSpacing>alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
(msg:"HTTP GET - Not a string passed to the city parameter"; \
flow:to_server,established; content:"GET"; http_method; \
content:"|2f|current|5f|time|5f|in|5f|AF|2e|aspx|3f|"; nocase; \
pcre:"/city\x3d[a-zA-Z]*?[^a-zA-Z]/is"; classtype:web-application-attack; \
sid:1000000; rev:1;)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best \
regards,<o:p></o:p></p><p class=MsoNormal>Simon.<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Join our New Group on \
LinkedIn - "IPS Security Rules (Snort & Suricata)"<o:p></o:p></p><p \
class=MsoNormal>Custom Snort rules made easy - <a \
href="http://www.ipssecurityrules.co.uk/products/easy_rules_creator.php">http://www.ip \
ssecurityrules.co.uk/products/easy_rules_creator.php</a><o:p></o:p></p></div></body></html>
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic