[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Issues with http_* attributes
From:       "Al Lewis \(allewi\) via Snort-users" <snort-users () lists ! snort ! org>
Date:       2020-02-26 12:56:16
Message-ID: D05CDA09-7237-436B-BDFA-62F4B8B9BD0D () cisco ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

An explanation is provided in the dev notes file (located in the download):


src/service_inspectors/http_inspect/dev_notes.txt



"1. HI considers it to be normal for reserved characters to be percent encoded and \
does not generate an alert. The 119/1 alert is used only for unreserved characters \
that are found to be percent encoded. The ignore_unreserved configuration option \
allows the user to specify a list of unreserved characters that are exempt from this \
alert. "





Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>



From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of "Al Lewis \
                (allewi) via Snort-users" <snort-users@lists.snort.org>
Reply-To: "Al Lewis (allewi)" <allewi@cisco.com>
Date: Wednesday, February 26, 2020 at 7:33 AM
To: Preetham Bomma <preethambomma@gmail.com>
Cc: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: Re: [Snort-users] Issues with http_* attributes

That is a preprocessor rule that is alerting which means the http inspect \
preprocessor has an issue with the traffic.

The traffic has to be decoded and preprocessed before the rule can be applied \
correctly.

Check the http_inpect section of the manual for the configuration options.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>



From: Preetham Bomma <preethambomma@gmail.com>
Date: Wednesday, February 26, 2020 at 4:00 AM
To: "Al Lewis (allewi)" <allewi@cisco.com>
Cc: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: Re: [Snort-users] Issues with http_* attributes

Hi,

With the same command from the previous mail and with the unedited configuration, we \
are currently having this as output. Our expected outcome is to see the "alert with \
the message ". This the rule I'm currently using this rule


alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"ab";content:"attack";sid:1; \
rev:1;)

Output
02/26-02:12:39.802559 [**] [119:1:1] "(http_inspect) ascii encoding" [**] [Priority: \
3] {TCP} 192.168.56.1:63276<http://192.168.56.1:63276> -> \
192.168.56.105:80<http://192.168.56.105:80> http_inspect.http_method[3]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
47 45 54                                          GET
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
http_inspect.http_version[8]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
48 54 54 50 2F 31 2E 31                           HTTP/1.1
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
http_inspect.http_uri[24]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
2F 66 61 6B 65 6E 65 77  73 2F 74 6D 70 2F 61 74  /fakenew s/tmp/at
74 61 63 6B 2E 74 78 74                           tack.txt
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -



On Tue, Feb 25, 2020 at 7:50 PM Preetham Bomma \
<preethambomma@gmail.com<mailto:preethambomma@gmail.com>> wrote: Thank you so much \
for the response. I'll check them out and get back to you.

On Tue, Feb 25, 2020 at 7:12 PM Al Lewis (allewi) \
<allewi@cisco.com<mailto:allewi@cisco.com>> wrote: Hello Preetham,

Using your conf unedited I am able to get an alert on the content "attack" (pcap I \
used is attached). See if you can get an alert using the -r option. You may have a \
local/network issue.


ubuntu19@ubuntu19:/var/tmp/snort++$ ./bin/snort -c etc/snort/preetham.lua -r \
etc/snort/attack.txt-http-get.pcap -R etc/snort/preetham.rules -Acsv -k none -q \
10/13-08:55:36.104000, 9, TCP, stream_tcp, 8, S2C, \
173.37.145.84:80<http://173.37.145.84:80>, \
192.168.0.1:19158<http://192.168.0.1:19158>, 1:1:1, allow


ubuntu19@ubuntu19:/var/tmp/snort++$ ./bin/snort -c etc/snort/preetham.lua -r \
etc/snort/attack.txt-http-get.pcap -R etc/snort/preetham.rules -Acmg -k none -q \
10/13-08:55:36.104000 [**] [1:1:1] "ab" [**] [Priority: 0] {TCP} \
173.37.145.84:80<http://173.37.145.84:80> -> \
192.168.0.1:19158<http://192.168.0.1:19158>

http_inspect.http_version[8]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
48 54 54 50 2F 31 2E 31                           HTTP/1.1
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_stat_code[3]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
32 30 30                                          200
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_stat_msg[2]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
4F 6B                                             Ok
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_uri[24]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
2F 66 61 6B 65 6E 65 77  73 2F 74 6D 70 2F 61 74  /fakenew s/tmp/at
74 61 63 6B 2E 74 78 74                           tack.txt
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_header[328]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
44 61 74 65 3A 20 57 65  64 2C 20 32 39 20 4A 75  Date: We d, 29 Ju
6C 20 32 30 30 39 20 31  33 3A 33 35 3A 32 36 20  l 2009 1 3:35:26
47 4D 54 0D 0A 53 65 72  76 65 72 3A 20 41 70 61  GMT..Ser ver: Apa
63 68 65 2F 32 2E 32 2E  33 20 28 44 65 62 69 61  che/2.2. 3 (Debia
6E 29 20 50 48 50 2F 35  2E 32 2E 30 2D 38 20 65  n) PHP/5 .2.0-8 e
74 63 68 31 30 20 6D 6F  64 5F 73 73 6C 2F 32 2E  tch10 mo d_ssl/2.
32 2E 33 20 4F 70 65 6E  53 53 4C 2F 30 2E 39 2E  2.3 Open SSL/0.9.
38 63 0D 0A 4C 61 73 74  2D 4D 6F 64 69 66 69 65  8c..Last -Modifie
64 3A 20 53 75 6E 2C 20  32 30 20 4A 61 6E 20 32  d: Sun,  20 Jan 2
30 30 38 20 31 32 3A 30  31 3A 32 31 20 47 4D 54  008 12:0 1:21 GMT
0D 0A 45 54 61 67 3A 20  22 61 38 30 31 63 2D 31  ..ETag:  "a801c-1
62 62 64 31 63 2D 32 32  34 31 36 36 34 30 22 0D  bbd1c-22 416640".
0A 41 63 63 65 70 74 2D  52 61 6E 67 65 73 3A 20  .Accept- Ranges:
62 79 74 65 73 0D 0A 43  6F 6E 74 65 6E 74 2D 4C  bytes..C ontent-L
65 6E 67 74 68 3A 20 38  0D 0A 4B 65 65 70 2D 41  ength: 8 ..Keep-A
6C 69 76 65 3A 20 74 69  6D 65 6F 75 74 3D 31 35  live: ti meout=15
2C 20 6D 61 78 3D 39 39  0D 0A 43 6F 6E 6E 65 63  , max=99 ..Connec
74 69 6F 6E 3A 20 4B 65  65 70 2D 41 6C 69 76 65  tion: Ke ep-Alive
0D 0A 43 6F 6E 74 65 6E  74 2D 54 79 70 65 3A 20  ..Conten t-Type:
61 70 70 6C 69 63 61 74  69 6F 6E 2F 6F 63 74 65  applicat ion/octe
74 2D 73 74 72 65 61 6D                           t-stream
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.stream_tcp[8]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
61 74 74 61 63 6B 0A 0A                           attack..
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -


Hope this helps.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>



From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Preetham Bomma via Snort-users \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Reply-To: Preetham Bomma <preethambomma@gmail.com<mailto:preethambomma@gmail.com>>
Date: Tuesday, February 25, 2020 at 6:33 AM
To: Dorian ROSSE <dorianbrice@hotmail.fr<mailto:dorianbrice@hotmail.fr>>
Cc: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: Re: [Snort-users] Issues with http_* attributes

I have installed Snort 3 and it's working fine. The issue I'm facing now is, Snort is \
not able to detect any attacks. For example, I've written rules to detect a simple \
payload ( PFA rules file and snort conf file ). Command : ./snort -R test.rules -c \
../etc/snort/snort.lua -A cmg -i "enp0s8"





On Tue, Feb 25, 2020 at 3:04 PM Dorian ROSSE \
<dorianbrice@hotmail.fr<mailto:dorianbrice@hotmail.fr>> wrote: The snort 2 document \
for http module

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00327000000000000000


Regards.


Dorian Rosse.

Téléchargez Outlook pour Android<https://aka.ms/ghei36>
________________________________
From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Preetham Bomma via Snort-users \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Sent: Tuesday, February 25, 2020 7:08:51 AM
To: Russ Combs (rucombs) <rucombs@cisco.com<mailto:rucombs@cisco.com>>
Cc: snort-users@lists.snort.org<mailto:snort-users@lists.snort.org> \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: Re: [Snort-users] Issues with http_* attributes

I've installed Snort 2.9.15 ( latest version for Snort 2 ). I'm attaching the \
configuration and rules file for reference. The issue remains the same even with \
Snort 2.9.15.

The GitHub issue https://github.com/snort3/snort3/issues/79#issuecomment-486070883 \
recommends running snort in Inline and Passive mode. Can you please provide us the \
steps for the same in Snort 2.9.15 version.

On Fri, Feb 21, 2020 at 5:14 PM Russ Combs (rucombs) \
<rucombs@cisco.com<mailto:rucombs@cisco.com>> wrote:

Preetham,



2.9.7.0 is ancient (2014).  You need to update ASAP.



If your issue is the same as the one referenced below, that issue has the solution.  \
If it is only similar, we need to know how they differ.  If you are using the default \
conf, then a pcap will suffice.  If you have changed the config, we need to see that \
as well.



But that's after you update.



Thanks

Russ



From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Preetham Bomma via Snort-users \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Reply-To: Preetham Bomma <preethambomma@gmail.com<mailto:preethambomma@gmail.com>>
Date: Thursday, February 20, 2020 at 11:54 AM
To: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: [Snort-users] Issues with http_* attributes



Hi,

We are trying to use http_* attributes in snort rules, specifically \
‘http_client_body' and ‘http_uri' to detect payloads in HTTP requests. Snort is \
not handling the rules which have "http_*" attributes in it. Our issue with snort is \
similar to https://github.com/snort3/snort3/issues/79.

Snort version tested: Version 2.9.7.0 GRE (Build 149)
Snort command : snort  -A console -Q -c /etc/snort/snort.conf -i eth0 -N
OS: Ubuntu 18.04

Snort rule:     alert tcp any any -> any 80 (message: "testing body"; content:"EFG"; \
http_client_body;sid:100023;)

Expected behavior: Snort has to give an alert when the request body contains the \
string "EFG". Actual behavior: Snort does not give any alert.

Thanks,
Preetham


[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Courier;
	panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:"Calibri Light";
	panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Monaco;
	panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
	{font-family:inherit;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Times New Roman \(Body CS\)";
	panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.EmailStyle20
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
span.EmailStyle22
	{mso-style-type:personal-reply;
	font-family:Courier;
	color:windowtext;
	font-weight:normal;
	font-style:normal;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:Courier">An explanation is provided in \
the dev notes file (located in the download):<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal"><span \
style="font-family:Courier">src/service_inspectors/http_inspect/dev_notes.txt<o:p></o:p></span></p>
 <p class="MsoNormal"><span style="font-family:Courier"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier">"1. HI considers it to be \
normal for reserved characters to be percent encoded and does \
not<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">generate an alert. <span style="color:red"> The 119/1 \
alert is used only for unreserved characters that are found to \
be<o:p></o:p></span></span></p> <p class="MsoNormal"><span \
style="font-family:Courier;color:red">percent encoded. The ignore_unreserved \
configuration option allows the user to specify a list of<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier;color:red">unreserved characters \
that are exempt from this alert. </span><span \
style="font-family:Courier">"<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p>&nbsp;</o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p>&nbsp;</o:p></span></p> <div>
<p class="MsoNormal"><b><span \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-family:Courier;color:#999999">Email:&nbsp;</span><span \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><span \
style="font-family:Courier;color:#4F81BD"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black"><o:p>&nbsp;</o:p></span></p> </div>
<p class="MsoNormal"><span style="font-family:Courier"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p>&nbsp;</o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: \
</span></b><span style="font-size:12.0pt;color:black">Snort-users \
&lt;snort-users-bounces@lists.snort.org&gt; on behalf of &quot;Al Lewis (allewi) via \
Snort-users&quot; &lt;snort-users@lists.snort.org&gt;<br> <b>Reply-To: </b>&quot;Al \
Lewis (allewi)&quot; &lt;allewi@cisco.com&gt;<br> <b>Date: </b>Wednesday, February \
26, 2020 at 7:33 AM<br> <b>To: </b>Preetham Bomma &lt;preethambomma@gmail.com&gt;<br>
<b>Cc: </b>&quot;snort-users@lists.snort.org&quot; \
&lt;snort-users@lists.snort.org&gt;<br> <b>Subject: </b>Re: [Snort-users] Issues with \
http_* attributes<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<p class="MsoNormal"><span style="font-family:Courier">That is a preprocessor rule \
that is alerting which means the http inspect preprocessor has an issue with the \
traffic.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier">The traffic has to be decoded and preprocessed before the \
rule can be applied correctly.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier">Check the http_inpect section of the manual for the \
configuration options.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:&quot;Calibri Light&quot;,sans-serif">&nbsp;</span><o:p></o:p></p> \
<p class="MsoNormal">&nbsp;<o:p></o:p></p> <div>
<p class="MsoNormal"><b><span \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier;color:#999999">Email:&nbsp;</span><span \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><o:p></o:p></p> <p \
class="MsoNormal"><span style="color:black">&nbsp;</span><o:p></o:p></p> </div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: \
</span></b><span style="font-size:12.0pt;color:black">Preetham Bomma \
&lt;preethambomma@gmail.com&gt;<br> <b>Date: </b>Wednesday, February 26, 2020 at 4:00 \
AM<br> <b>To: </b>&quot;Al Lewis (allewi)&quot; &lt;allewi@cisco.com&gt;<br>
<b>Cc: </b>&quot;snort-users@lists.snort.org&quot; \
&lt;snort-users@lists.snort.org&gt;<br> <b>Subject: </b>Re: [Snort-users] Issues with \
http_* attributes</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Hi,<br>
<br>
With the same command from the previous mail and with the unedited configuration, we \
are currently having this as output. Our expected outcome is to see the \
<b>&quot;alert with the message &quot;. </b>This the rule I'm currently using this \
rule <o:p> </o:p></p>
<div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<div style="margin-left:24.0pt;box-sizing:inherit;font-variant-ligatures:common-ligatures">
 <pre><span style="font-family:&quot;inherit&quot;,serif;color:#D1D2D3">alert http \
$HOME_NET any -&gt; $EXTERNAL_NET any ( \
msg:&quot;ab&quot;;content:&quot;attack&quot;;sid:1; rev:1;)</span><o:p></o:p></pre> \
</div> <p class="MsoNormal">&nbsp;<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span \
style="font-size:13.5pt;font-family:&quot;Verdana&quot;,sans-serif">Output</span></b><span \
style="font-family:&quot;Verdana&quot;,sans-serif"><br> 02/26-02:12:39.802559 [**] \
[119:1:1] &quot;(http_inspect) ascii encoding&quot; [**] [Priority: 3] {TCP} <a \
href="http://192.168.56.1:63276">192.168.56.1:63276</a> -&gt; <a \
href="http://192.168.56.105:80"> 192.168.56.105:80</a><br>
http_inspect.http_method[3]:<br>
- - - - - - - - - - - - &nbsp;- - - - - - - - - - - - &nbsp;- - - - - - - - -<br>
47 45 54 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \
                &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \
                &nbsp;GET<br>
- - - - - - - - - - - - &nbsp;- - - - - - - - - - - - &nbsp;- - - - - - - - -<br>
http_inspect.http_version[8]:<br>
- - - - - - - - - - - - &nbsp;- - - - - - - - - - - - &nbsp;- - - - - - - - -<br>
48 54 54 50 2F 31 2E 31 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \
                &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; HTTP/1.1<br>
- - - - - - - - - - - - &nbsp;- - - - - - - - - - - - &nbsp;- - - - - - - - -<br>
http_inspect.http_uri[24]:<br>
- - - - - - - - - - - - &nbsp;- - - - - - - - - - - - &nbsp;- - - - - - - - -<br>
2F 66 61 6B 65 6E 65 77 &nbsp;73 2F 74 6D 70 2F 61 74 &nbsp;/fakenew \
s/tmp/at</span><br> <span style="font-family:&quot;Verdana&quot;,sans-serif">74 61 63 \
6B 2E 74 78 74 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \
                &nbsp; &nbsp; &nbsp; tack.txt<br>
- - - - - - - - - - - - &nbsp;- - - - - - - - - - - - &nbsp;- - - - - - - - -<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Feb 25, 2020 at 7:50 PM Preetham Bomma &lt;<a \
href="mailto:preethambomma@gmail.com">preethambomma@gmail.com</a>&gt; \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<p class="MsoNormal">Thank you so much for the response. I'll check them out \
and&nbsp;get back to you.<o:p></o:p></p> </div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Feb 25, 2020 at 7:12 PM Al Lewis (allewi) &lt;<a \
href="mailto:allewi@cisco.com" target="_blank">allewi@cisco.com</a>&gt; \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">Hello Preetham,</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:.5in"> <span \
style="font-family:Courier">Using your conf unedited I am able to get an alert on the \
content "attack" (pcap I used is attached). See if you can get an alert using the -r \
option. You may have a local/network issue.</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:.5in">
 <span style="font-family:Courier">&nbsp;</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">ubuntu19@ubuntu19:/var/tmp/snort&#43;&#43;$ ./bin/snort \
-c etc/snort/preetham.lua -r etc/snort/attack.txt-http-get.pcap -R \
                etc/snort/preetham.rules -Acsv
 -k none -q</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">10/13-08:55:36.104000, 9, TCP, stream_tcp, 8, S2C, <a \
href="http://173.37.145.84:80" target="_blank">173.37.145.84:80</a>, <a \
href="http://192.168.0.1:19158" target="_blank"> 192.168.0.1:19158</a>, 1:1:1, \
allow</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p>
 <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">ubuntu19@ubuntu19:/var/tmp/snort&#43;&#43;$ ./bin/snort \
-c etc/snort/preetham.lua -r etc/snort/attack.txt-http-get.pcap -R \
                etc/snort/preetham.rules -Acmg
 -k none -q</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">10/13-08:55:36.104000 [**] [1:1:1] &quot;ab&quot; [**] \
[Priority: 0] {TCP} <a href="http://173.37.145.84:80" \
target="_blank">173.37.145.84:80</a> -&gt; <a href="http://192.168.0.1:19158" \
target="_blank"> 192.168.0.1:19158</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_version[8]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">48 54 54 50 2F 31 2E \
31&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
&nbsp;HTTP/1.1 </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_stat_code[3]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">32 30 \
30&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
200</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_stat_msg[2]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">4F \
6B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n \
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
Ok</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_uri[24]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">2F 66 61 6B 65 6E 65 77&nbsp; 73 2F 74 6D 70 2F 61 \
74&nbsp; /fakenew s/tmp/at</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 61 63 6B 2E 74 78 \
74&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
tack.txt </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_header[328]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">44 61 74 65 3A 20 57 65&nbsp; 64 2C 20 32 39 20 4A \
75&nbsp; Date: We d, 29 Ju</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">6C 20 32 30 30 39 20 31&nbsp; 33 3A 33 35 3A 32 36 \
20&nbsp; l 2009 1 3:35:26 </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">47 4D 54 0D 0A 53 65 72&nbsp; 76 65 72 3A 20 41 70 \
61&nbsp; GMT..Ser ver: Apa</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">63 68 65 2F 32 2E 32 2E&nbsp; 33 20 28 44 65 62 69 \
61&nbsp; che/2.2. 3 (Debia</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">6E 29 20 50 48 50 2F 35&nbsp; 2E 32 2E 30 2D 38 20 \
65&nbsp; n) PHP/5 .2.0-8 e</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 63 68 31 30 20 6D 6F&nbsp; 64 5F 73 73 6C 2F 32 \
2E&nbsp; tch10 mo d_ssl/2.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">32 2E 33 20 4F 70 65 6E&nbsp; 53 53 4C 2F 30 2E 39 \
2E&nbsp; 2.3 Open SSL/0.9.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">38 63 0D 0A 4C 61 73 74&nbsp; 2D 4D 6F 64 69 66 69 \
65&nbsp; 8c..Last -Modifie</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">64 3A 20 53 75 6E 2C 20&nbsp; 32 30 20 4A 61 6E 20 \
32&nbsp; d: Sun,&nbsp; 20 Jan 2</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">30 30 38 20 31 32 3A 30&nbsp; 31 3A 32 31 20 47 4D \
54&nbsp; 008 12:0 1:21 GMT</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">0D 0A 45 54 61 67 3A 20&nbsp; 22 61 38 30 31 63 2D \
31&nbsp; ..ETag:&nbsp; &quot;a801c-1</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">62 62 64 31 63 2D 32 32&nbsp; 34 31 36 36 34 30 22 \
0D&nbsp; bbd1c-22 416640&quot;.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">0A 41 63 63 65 70 74 2D&nbsp; 52 61 6E 67 65 73 3A \
20&nbsp; .Accept- Ranges: </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">62 79 74 65 73 0D 0A 43&nbsp; 6F 6E 74 65 6E 74 2D \
4C&nbsp; bytes..C ontent-L</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">65 6E 67 74 68 3A 20 38&nbsp; 0D 0A 4B 65 65 70 2D \
41&nbsp; ength: 8 ..Keep-A</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">6C 69 76 65 3A 20 74 69&nbsp; 6D 65 6F 75 74 3D 31 \
35&nbsp; live: ti meout=15</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">2C 20 6D 61 78 3D 39 39&nbsp; 0D 0A 43 6F 6E 6E 65 \
63&nbsp; , max=99 ..Connec</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 69 6F 6E 3A 20 4B 65&nbsp; 65 70 2D 41 6C 69 76 \
65&nbsp; tion: Ke ep-Alive</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">0D 0A 43 6F 6E 74 65 6E&nbsp; 74 2D 54 79 70 65 3A \
20&nbsp; ..Conten t-Type: </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">61 70 70 6C 69 63 61 74&nbsp; 69 6F 6E 2F 6F 63 74 \
65&nbsp; applicat ion/octe</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 2D 73 74 72 65 61 \
6D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
t-stream </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.stream_tcp[8]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">61 74 74 61 63 6B 0A \
0A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
attack.. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - -&nbsp; - - - - - - - - - - - \
-&nbsp; - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p>
 <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">Hope this helps.</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">&nbsp;</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
<div> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier;color:#999999">Email:&nbsp;</span><span \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com" \
target="_blank"><span \
style="color:purple">allewi@cisco.com</span></a></span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="color:black">&nbsp;</span><o:p></o:p></p> </div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p>
 <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span \
style="font-size:12.0pt;color:black">From: </span></b><span \
style="font-size:12.0pt;color:black">Snort-users &lt;<a \
href="mailto:snort-users-bounces@lists.snort.org" \
target="_blank">snort-users-bounces@lists.snort.org</a>&gt; on behalf of Preetham \
Bomma via Snort-users &lt;<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&gt;<br> <b>Reply-To: </b>Preetham \
Bomma &lt;<a href="mailto:preethambomma@gmail.com" \
target="_blank">preethambomma@gmail.com</a>&gt;<br> <b>Date: </b>Tuesday, February \
25, 2020 at 6:33 AM<br> <b>To: </b>Dorian ROSSE &lt;<a \
href="mailto:dorianbrice@hotmail.fr" \
target="_blank">dorianbrice@hotmail.fr</a>&gt;<br> <b>Cc: </b>&quot;<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&quot; &lt;<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&gt;<br> <b>Subject: </b>Re: \
[Snort-users] Issues with http_* attributes</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">I have \
installed Snort 3 and it's working fine. The issue I'm facing now is, Snort is not \
able to detect any attacks. For example, I've written rules to detect a simple \
payload ( PFA  rules file and snort conf file ).&nbsp;&nbsp;<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Command \
:&nbsp;<span style="font-size:9.0pt;font-family:Monaco;color:#D1D2D3;background:#222529">./snort \
-R test.rules -c ../etc/snort/snort.lua -A cmg -i \
&quot;enp0s8&quot;</span><o:p></o:p></p> </blockquote>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
</div> </div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
<div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On \
Tue, Feb 25, 2020 at 3:04 PM Dorian ROSSE &lt;<a href="mailto:dorianbrice@hotmail.fr" \
target="_blank">dorianbrice@hotmail.fr</a>&gt; wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white"> <span \
style="color:#212121">The snort 2 document for http module</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
 <span style="color:#212121">&nbsp;</span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white"> <span \
style="color:#212121"><a \
href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00327000000000000000" \
target="_blank">http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00327000000000000000</a></span><o:p></o:p></p>
 <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
</div> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Regards.&nbsp;<o:p></o:p></p>
 <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p>
 <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Dorian \
Rosse.&nbsp;<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Téléchargez
 <a href="https://aka.ms/ghei36" target="_blank">Outlook pour \
Android</a><o:p></o:p></p> <div class="MsoNormal" align="center" \
style="text-align:center"> <hr size="0" width="100%" align="center">
</div>
<div id="gmail-m_8124523597261988300gmail-m_8383472621630291632gmail-m_-4231191175967569610divRplyFwdMsg">
 <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span \
style="color:black">From:</span></b><span style="color:black"> Snort-users &lt;<a \
href="mailto:snort-users-bounces@lists.snort.org" \
target="_blank">snort-users-bounces@lists.snort.org</a>&gt;  on behalf of Preetham \
Bomma via Snort-users &lt;<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&gt;<br> <b>Sent:</b> Tuesday, \
February 25, 2020 7:08:51 AM<br> <b>To:</b> Russ Combs (rucombs) &lt;<a \
href="mailto:rucombs@cisco.com" target="_blank">rucombs@cisco.com</a>&gt;<br> \
<b>Cc:</b> <a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a> &lt;<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&gt;<br> <b>Subject:</b> Re: \
[Snort-users] Issues with http_* attributes</span> <o:p></o:p></p> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
</div> </div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I've \
installed Snort 2.9.15 ( latest version for Snort 2 ). I'm attaching the \
configuration and rules file for reference. The issue remains the same even with \
Snort 2.9.15.<br> <br>
The GitHub issue&nbsp;<a \
href="https://github.com/snort3/snort3/issues/79#issuecomment-486070883" \
target="_blank">https://github.com/snort3/snort3/issues/79#issuecomment-486070883</a> \
recommends running snort in Inline and Passive mode.<br> Can you please provide us \
the steps for the same in Snort 2.9.15 version.<o:p></o:p></p> </div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p> \
<div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On \
Fri, Feb 21, 2020 at 5:14 PM Russ Combs (rucombs) &lt;<a \
href="mailto:rucombs@cisco.com" target="_blank">rucombs@cisco.com</a>&gt; \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<div>
<p>Preetham,<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<p>2.9.7.0 is ancient (2014).&nbsp; You need to update ASAP.<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<p>If your issue is the same as the one referenced below, that issue has the \
solution.&nbsp; If it is only similar, we need to know how they differ.&nbsp; If you \
are using the default conf, then a pcap will suffice.&nbsp; If you have changed the \
config, we need to see that  as well.<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<p>But that's after you update.<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<p>Thanks<o:p></o:p></p>
<p>Russ<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:12.0pt;color:black">From: </span></b><span \
style="font-size:12.0pt;color:black">Snort-users &lt;<a \
href="mailto:snort-users-bounces@lists.snort.org" \
target="_blank">snort-users-bounces@lists.snort.org</a>&gt; on behalf of Preetham \
Bomma  via Snort-users &lt;<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&gt;<br> <b>Reply-To: </b>Preetham \
Bomma &lt;<a href="mailto:preethambomma@gmail.com" \
target="_blank">preethambomma@gmail.com</a>&gt;<br> <b>Date: </b>Thursday, February \
20, 2020 at 11:54 AM<br> <b>To: </b>&quot;<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&quot; &lt;<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>&gt;<br> <b>Subject: </b>[Snort-users] \
Issues with http_* attributes</span><o:p></o:p></p> </div>
<div>
<p>&nbsp;<o:p></o:p></p>
</div>
<div>
<p style="margin-bottom:12.0pt">Hi,<o:p></o:p></p>
<p>We are trying to use http_* attributes in snort rules, specifically \
‘http_client_body' and ‘http_uri' to detect payloads in HTTP requests. Snort is \
not handling the rules which have "http_*" attributes in it. Our issue with snort is \
similar to <a href="https://github.com/snort3/snort3/issues/79" \
target="_blank">https://github.com/snort3/snort3/issues/79</a>.<br> <br>
<b>Snort version tested</b>: Version 2.9.7.0 GRE (Build 149)<br>
<b>Snort command</b> : snort&nbsp; -A console -Q -c /etc/snort/snort.conf -i eth0 \
-N<br> <b>OS</b>: Ubuntu 18.04<o:p></o:p></p>
<p style="margin-bottom:12.0pt"><b>Snort rule</b>: &nbsp;&nbsp;&nbsp;&nbsp;alert tcp \
any any -&gt; any 80 (message: "testing body"; content:&quot;EFG&quot;; \
http_client_body;sid:100023;)<br> <br>
<b>Expected behavior</b>: Snort has to give an alert when the request body contains \
the string "EFG". <br>
<b>Actual behavior</b>: Snort does not give any alert.<br>
<br>
Thanks,<br>
Preetham<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</body>
</html>



_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

	To unsubscribe, send an email to:
	snort-users-leave@lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

--===============7456919880812684788==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic