[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Issues with http_* attributes
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists ! snort ! org>
Date: 2020-02-26 12:56:16
Message-ID: D05CDA09-7237-436B-BDFA-62F4B8B9BD0D () cisco ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
An explanation is provided in the dev notes file (located in the download):
src/service_inspectors/http_inspect/dev_notes.txt
"1. HI considers it to be normal for reserved characters to be percent encoded and \
does not generate an alert. The 119/1 alert is used only for unreserved characters \
that are found to be percent encoded. The ignore_unreserved configuration option \
allows the user to specify a list of unreserved characters that are exempt from this \
alert. "
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of "Al Lewis \
(allewi) via Snort-users" <snort-users@lists.snort.org>
Reply-To: "Al Lewis (allewi)" <allewi@cisco.com>
Date: Wednesday, February 26, 2020 at 7:33 AM
To: Preetham Bomma <preethambomma@gmail.com>
Cc: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: Re: [Snort-users] Issues with http_* attributes
That is a preprocessor rule that is alerting which means the http inspect \
preprocessor has an issue with the traffic.
The traffic has to be decoded and preprocessed before the rule can be applied \
correctly.
Check the http_inpect section of the manual for the configuration options.
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Preetham Bomma <preethambomma@gmail.com>
Date: Wednesday, February 26, 2020 at 4:00 AM
To: "Al Lewis (allewi)" <allewi@cisco.com>
Cc: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: Re: [Snort-users] Issues with http_* attributes
Hi,
With the same command from the previous mail and with the unedited configuration, we \
are currently having this as output. Our expected outcome is to see the "alert with \
the message ". This the rule I'm currently using this rule
alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"ab";content:"attack";sid:1; \
rev:1;)
Output
02/26-02:12:39.802559 [**] [119:1:1] "(http_inspect) ascii encoding" [**] [Priority: \
3] {TCP} 192.168.56.1:63276<http://192.168.56.1:63276> -> \
192.168.56.105:80<http://192.168.56.105:80> http_inspect.http_method[3]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
47 45 54 GET
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http_inspect.http_version[8]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
48 54 54 50 2F 31 2E 31 HTTP/1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http_inspect.http_uri[24]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2F 66 61 6B 65 6E 65 77 73 2F 74 6D 70 2F 61 74 /fakenew s/tmp/at
74 61 63 6B 2E 74 78 74 tack.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
On Tue, Feb 25, 2020 at 7:50 PM Preetham Bomma \
<preethambomma@gmail.com<mailto:preethambomma@gmail.com>> wrote: Thank you so much \
for the response. I'll check them out and get back to you.
On Tue, Feb 25, 2020 at 7:12 PM Al Lewis (allewi) \
<allewi@cisco.com<mailto:allewi@cisco.com>> wrote: Hello Preetham,
Using your conf unedited I am able to get an alert on the content "attack" (pcap I \
used is attached). See if you can get an alert using the -r option. You may have a \
local/network issue.
ubuntu19@ubuntu19:/var/tmp/snort++$ ./bin/snort -c etc/snort/preetham.lua -r \
etc/snort/attack.txt-http-get.pcap -R etc/snort/preetham.rules -Acsv -k none -q \
10/13-08:55:36.104000, 9, TCP, stream_tcp, 8, S2C, \
173.37.145.84:80<http://173.37.145.84:80>, \
192.168.0.1:19158<http://192.168.0.1:19158>, 1:1:1, allow
ubuntu19@ubuntu19:/var/tmp/snort++$ ./bin/snort -c etc/snort/preetham.lua -r \
etc/snort/attack.txt-http-get.pcap -R etc/snort/preetham.rules -Acmg -k none -q \
10/13-08:55:36.104000 [**] [1:1:1] "ab" [**] [Priority: 0] {TCP} \
173.37.145.84:80<http://173.37.145.84:80> -> \
192.168.0.1:19158<http://192.168.0.1:19158>
http_inspect.http_version[8]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
48 54 54 50 2F 31 2E 31 HTTP/1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http_inspect.http_stat_code[3]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
32 30 30 200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http_inspect.http_stat_msg[2]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4F 6B Ok
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http_inspect.http_uri[24]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2F 66 61 6B 65 6E 65 77 73 2F 74 6D 70 2F 61 74 /fakenew s/tmp/at
74 61 63 6B 2E 74 78 74 tack.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http_inspect.http_header[328]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
44 61 74 65 3A 20 57 65 64 2C 20 32 39 20 4A 75 Date: We d, 29 Ju
6C 20 32 30 30 39 20 31 33 3A 33 35 3A 32 36 20 l 2009 1 3:35:26
47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 61 GMT..Ser ver: Apa
63 68 65 2F 32 2E 32 2E 33 20 28 44 65 62 69 61 che/2.2. 3 (Debia
6E 29 20 50 48 50 2F 35 2E 32 2E 30 2D 38 20 65 n) PHP/5 .2.0-8 e
74 63 68 31 30 20 6D 6F 64 5F 73 73 6C 2F 32 2E tch10 mo d_ssl/2.
32 2E 33 20 4F 70 65 6E 53 53 4C 2F 30 2E 39 2E 2.3 Open SSL/0.9.
38 63 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65 8c..Last -Modifie
64 3A 20 53 75 6E 2C 20 32 30 20 4A 61 6E 20 32 d: Sun, 20 Jan 2
30 30 38 20 31 32 3A 30 31 3A 32 31 20 47 4D 54 008 12:0 1:21 GMT
0D 0A 45 54 61 67 3A 20 22 61 38 30 31 63 2D 31 ..ETag: "a801c-1
62 62 64 31 63 2D 32 32 34 31 36 36 34 30 22 0D bbd1c-22 416640".
0A 41 63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 .Accept- Ranges:
62 79 74 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C bytes..C ontent-L
65 6E 67 74 68 3A 20 38 0D 0A 4B 65 65 70 2D 41 ength: 8 ..Keep-A
6C 69 76 65 3A 20 74 69 6D 65 6F 75 74 3D 31 35 live: ti meout=15
2C 20 6D 61 78 3D 39 39 0D 0A 43 6F 6E 6E 65 63 , max=99 ..Connec
74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 tion: Ke ep-Alive
0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Conten t-Type:
61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 applicat ion/octe
74 2D 73 74 72 65 61 6D t-stream
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http_inspect.stream_tcp[8]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
61 74 74 61 63 6B 0A 0A attack..
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hope this helps.
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Preetham Bomma via Snort-users \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Reply-To: Preetham Bomma <preethambomma@gmail.com<mailto:preethambomma@gmail.com>>
Date: Tuesday, February 25, 2020 at 6:33 AM
To: Dorian ROSSE <dorianbrice@hotmail.fr<mailto:dorianbrice@hotmail.fr>>
Cc: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: Re: [Snort-users] Issues with http_* attributes
I have installed Snort 3 and it's working fine. The issue I'm facing now is, Snort is \
not able to detect any attacks. For example, I've written rules to detect a simple \
payload ( PFA rules file and snort conf file ). Command : ./snort -R test.rules -c \
../etc/snort/snort.lua -A cmg -i "enp0s8"
On Tue, Feb 25, 2020 at 3:04 PM Dorian ROSSE \
<dorianbrice@hotmail.fr<mailto:dorianbrice@hotmail.fr>> wrote: The snort 2 document \
for http module
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00327000000000000000
Regards.
Dorian Rosse.
Téléchargez Outlook pour Android<https://aka.ms/ghei36>
________________________________
From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Preetham Bomma via Snort-users \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Sent: Tuesday, February 25, 2020 7:08:51 AM
To: Russ Combs (rucombs) <rucombs@cisco.com<mailto:rucombs@cisco.com>>
Cc: snort-users@lists.snort.org<mailto:snort-users@lists.snort.org> \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: Re: [Snort-users] Issues with http_* attributes
I've installed Snort 2.9.15 ( latest version for Snort 2 ). I'm attaching the \
configuration and rules file for reference. The issue remains the same even with \
Snort 2.9.15.
The GitHub issue https://github.com/snort3/snort3/issues/79#issuecomment-486070883 \
recommends running snort in Inline and Passive mode. Can you please provide us the \
steps for the same in Snort 2.9.15 version.
On Fri, Feb 21, 2020 at 5:14 PM Russ Combs (rucombs) \
<rucombs@cisco.com<mailto:rucombs@cisco.com>> wrote:
Preetham,
2.9.7.0 is ancient (2014). You need to update ASAP.
If your issue is the same as the one referenced below, that issue has the solution. \
If it is only similar, we need to know how they differ. If you are using the default \
conf, then a pcap will suffice. If you have changed the config, we need to see that \
as well.
But that's after you update.
Thanks
Russ
From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of Preetham Bomma via Snort-users \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Reply-To: Preetham Bomma <preethambomma@gmail.com<mailto:preethambomma@gmail.com>>
Date: Thursday, February 20, 2020 at 11:54 AM
To: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: [Snort-users] Issues with http_* attributes
Hi,
We are trying to use http_* attributes in snort rules, specifically \
‘http_client_body' and ‘http_uri' to detect payloads in HTTP requests. Snort is \
not handling the rules which have "http_*" attributes in it. Our issue with snort is \
similar to https://github.com/snort3/snort3/issues/79.
Snort version tested: Version 2.9.7.0 GRE (Build 149)
Snort command : snort -A console -Q -c /etc/snort/snort.conf -i eth0 -N
OS: Ubuntu 18.04
Snort rule: alert tcp any any -> any 80 (message: "testing body"; content:"EFG"; \
http_client_body;sid:100023;)
Expected behavior: Snort has to give an alert when the request body contains the \
string "EFG". Actual behavior: Snort does not give any alert.
Thanks,
Preetham
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Courier;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Monaco;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:inherit;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:Courier;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:Courier">An explanation is provided in \
the dev notes file (located in the download):<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span \
style="font-family:Courier">src/service_inspectors/http_inspect/dev_notes.txt<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier">"1. HI considers it to be \
normal for reserved characters to be percent encoded and does \
not<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">generate an alert. <span style="color:red"> The 119/1 \
alert is used only for unreserved characters that are found to \
be<o:p></o:p></span></span></p> <p class="MsoNormal"><span \
style="font-family:Courier;color:red">percent encoded. The ignore_unreserved \
configuration option allows the user to specify a list of<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier;color:red">unreserved characters \
that are exempt from this alert. </span><span \
style="font-family:Courier">"<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <div>
<p class="MsoNormal"><b><span \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-family:Courier;color:#999999">Email: </span><span \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><span \
style="font-family:Courier;color:#4F81BD"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p> </div>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: \
</span></b><span style="font-size:12.0pt;color:black">Snort-users \
<snort-users-bounces@lists.snort.org> on behalf of "Al Lewis (allewi) via \
Snort-users" <snort-users@lists.snort.org><br> <b>Reply-To: </b>"Al \
Lewis (allewi)" <allewi@cisco.com><br> <b>Date: </b>Wednesday, February \
26, 2020 at 7:33 AM<br> <b>To: </b>Preetham Bomma <preethambomma@gmail.com><br>
<b>Cc: </b>"snort-users@lists.snort.org" \
<snort-users@lists.snort.org><br> <b>Subject: </b>Re: [Snort-users] Issues with \
http_* attributes<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span style="font-family:Courier">That is a preprocessor rule \
that is alerting which means the http inspect preprocessor has an issue with the \
traffic.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier">The traffic has to be decoded and preprocessed before the \
rule can be applied correctly.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier">Check the http_inpect section of the manual for the \
configuration options.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:"Calibri Light",sans-serif"> </span><o:p></o:p></p> \
<p class="MsoNormal"> <o:p></o:p></p> <div>
<p class="MsoNormal"><b><span \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-family:Courier;color:#999999">Email: </span><span \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><o:p></o:p></p> <p \
class="MsoNormal"><span style="color:black"> </span><o:p></o:p></p> </div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: \
</span></b><span style="font-size:12.0pt;color:black">Preetham Bomma \
<preethambomma@gmail.com><br> <b>Date: </b>Wednesday, February 26, 2020 at 4:00 \
AM<br> <b>To: </b>"Al Lewis (allewi)" <allewi@cisco.com><br>
<b>Cc: </b>"snort-users@lists.snort.org" \
<snort-users@lists.snort.org><br> <b>Subject: </b>Re: [Snort-users] Issues with \
http_* attributes</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Hi,<br>
<br>
With the same command from the previous mail and with the unedited configuration, we \
are currently having this as output. Our expected outcome is to see the \
<b>"alert with the message ". </b>This the rule I'm currently using this \
rule <o:p> </o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="margin-left:24.0pt;box-sizing:inherit;font-variant-ligatures:common-ligatures">
<pre><span style="font-family:"inherit",serif;color:#D1D2D3">alert http \
$HOME_NET any -> $EXTERNAL_NET any ( \
msg:"ab";content:"attack";sid:1; rev:1;)</span><o:p></o:p></pre> \
</div> <p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span \
style="font-size:13.5pt;font-family:"Verdana",sans-serif">Output</span></b><span \
style="font-family:"Verdana",sans-serif"><br> 02/26-02:12:39.802559 [**] \
[119:1:1] "(http_inspect) ascii encoding" [**] [Priority: 3] {TCP} <a \
href="http://192.168.56.1:63276">192.168.56.1:63276</a> -> <a \
href="http://192.168.56.105:80"> 192.168.56.105:80</a><br>
http_inspect.http_method[3]:<br>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>
47 45 54 \
\
GET<br>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>
http_inspect.http_version[8]:<br>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>
48 54 54 50 2F 31 2E 31 \
HTTP/1.1<br>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>
http_inspect.http_uri[24]:<br>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>
2F 66 61 6B 65 6E 65 77 73 2F 74 6D 70 2F 61 74 /fakenew \
s/tmp/at</span><br> <span style="font-family:"Verdana",sans-serif">74 61 63 \
6B 2E 74 78 74 \
tack.txt<br>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Feb 25, 2020 at 7:50 PM Preetham Bomma <<a \
href="mailto:preethambomma@gmail.com">preethambomma@gmail.com</a>> \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<p class="MsoNormal">Thank you so much for the response. I'll check them out \
and get back to you.<o:p></o:p></p> </div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Feb 25, 2020 at 7:12 PM Al Lewis (allewi) <<a \
href="mailto:allewi@cisco.com" target="_blank">allewi@cisco.com</a>> \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">Hello Preetham,</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:.5in"> <span \
style="font-family:Courier">Using your conf unedited I am able to get an alert on the \
content "attack" (pcap I used is attached). See if you can get an alert using the -r \
option. You may have a local/network issue.</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:.5in">
<span style="font-family:Courier"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">ubuntu19@ubuntu19:/var/tmp/snort++$ ./bin/snort \
-c etc/snort/preetham.lua -r etc/snort/attack.txt-http-get.pcap -R \
etc/snort/preetham.rules -Acsv
-k none -q</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">10/13-08:55:36.104000, 9, TCP, stream_tcp, 8, S2C, <a \
href="http://173.37.145.84:80" target="_blank">173.37.145.84:80</a>, <a \
href="http://192.168.0.1:19158" target="_blank"> 192.168.0.1:19158</a>, 1:1:1, \
allow</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">ubuntu19@ubuntu19:/var/tmp/snort++$ ./bin/snort \
-c etc/snort/preetham.lua -r etc/snort/attack.txt-http-get.pcap -R \
etc/snort/preetham.rules -Acmg
-k none -q</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">10/13-08:55:36.104000 [**] [1:1:1] "ab" [**] \
[Priority: 0] {TCP} <a href="http://173.37.145.84:80" \
target="_blank">173.37.145.84:80</a> -> <a href="http://192.168.0.1:19158" \
target="_blank"> 192.168.0.1:19158</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_version[8]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">48 54 54 50 2F 31 2E \
31 \
HTTP/1.1 </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_stat_code[3]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">32 30 \
30 \
\
200</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_stat_msg[2]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">4F \
6B \
&n \
bsp; \
Ok</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_uri[24]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">2F 66 61 6B 65 6E 65 77 73 2F 74 6D 70 2F 61 \
74 /fakenew s/tmp/at</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 61 63 6B 2E 74 78 \
74 \
tack.txt </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.http_header[328]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">44 61 74 65 3A 20 57 65 64 2C 20 32 39 20 4A \
75 Date: We d, 29 Ju</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">6C 20 32 30 30 39 20 31 33 3A 33 35 3A 32 36 \
20 l 2009 1 3:35:26 </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 \
61 GMT..Ser ver: Apa</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">63 68 65 2F 32 2E 32 2E 33 20 28 44 65 62 69 \
61 che/2.2. 3 (Debia</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">6E 29 20 50 48 50 2F 35 2E 32 2E 30 2D 38 20 \
65 n) PHP/5 .2.0-8 e</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 63 68 31 30 20 6D 6F 64 5F 73 73 6C 2F 32 \
2E tch10 mo d_ssl/2.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">32 2E 33 20 4F 70 65 6E 53 53 4C 2F 30 2E 39 \
2E 2.3 Open SSL/0.9.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">38 63 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 \
65 8c..Last -Modifie</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">64 3A 20 53 75 6E 2C 20 32 30 20 4A 61 6E 20 \
32 d: Sun, 20 Jan 2</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">30 30 38 20 31 32 3A 30 31 3A 32 31 20 47 4D \
54 008 12:0 1:21 GMT</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">0D 0A 45 54 61 67 3A 20 22 61 38 30 31 63 2D \
31 ..ETag: "a801c-1</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">62 62 64 31 63 2D 32 32 34 31 36 36 34 30 22 \
0D bbd1c-22 416640".</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">0A 41 63 63 65 70 74 2D 52 61 6E 67 65 73 3A \
20 .Accept- Ranges: </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">62 79 74 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D \
4C bytes..C ontent-L</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">65 6E 67 74 68 3A 20 38 0D 0A 4B 65 65 70 2D \
41 ength: 8 ..Keep-A</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">6C 69 76 65 3A 20 74 69 6D 65 6F 75 74 3D 31 \
35 live: ti meout=15</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">2C 20 6D 61 78 3D 39 39 0D 0A 43 6F 6E 6E 65 \
63 , max=99 ..Connec</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 \
65 tion: Ke ep-Alive</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A \
20 ..Conten t-Type: </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 \
65 applicat ion/octe</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">74 2D 73 74 72 65 61 \
6D \
t-stream </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">http_inspect.stream_tcp[8]:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">61 74 74 61 63 6B 0A \
0A \
attack.. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">- - - - - - - - - - - - - - - - - - - - - - - \
- - - - - - - - - -</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier">Hope this helps.</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
<div> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-family:Courier;color:#999999">Email: </span><span \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com" \
target="_blank"><span \
style="color:purple">allewi@cisco.com</span></a></span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="color:black"> </span><o:p></o:p></p> </div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span \
style="font-size:12.0pt;color:black">From: </span></b><span \
style="font-size:12.0pt;color:black">Snort-users <<a \
href="mailto:snort-users-bounces@lists.snort.org" \
target="_blank">snort-users-bounces@lists.snort.org</a>> on behalf of Preetham \
Bomma via Snort-users <<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>><br> <b>Reply-To: </b>Preetham \
Bomma <<a href="mailto:preethambomma@gmail.com" \
target="_blank">preethambomma@gmail.com</a>><br> <b>Date: </b>Tuesday, February \
25, 2020 at 6:33 AM<br> <b>To: </b>Dorian ROSSE <<a \
href="mailto:dorianbrice@hotmail.fr" \
target="_blank">dorianbrice@hotmail.fr</a>><br> <b>Cc: </b>"<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>" <<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>><br> <b>Subject: </b>Re: \
[Snort-users] Issues with http_* attributes</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">I have \
installed Snort 3 and it's working fine. The issue I'm facing now is, Snort is not \
able to detect any attacks. For example, I've written rules to detect a simple \
payload ( PFA rules file and snort conf file ). <o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Command \
: <span style="font-size:9.0pt;font-family:Monaco;color:#D1D2D3;background:#222529">./snort \
-R test.rules -c ../etc/snort/snort.lua -A cmg -i \
"enp0s8"</span><o:p></o:p></p> </blockquote>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> </div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
<div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On \
Tue, Feb 25, 2020 at 3:04 PM Dorian ROSSE <<a href="mailto:dorianbrice@hotmail.fr" \
target="_blank">dorianbrice@hotmail.fr</a>> wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white"> <span \
style="color:#212121">The snort 2 document for http module</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="color:#212121"> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white"> <span \
style="color:#212121"><a \
href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00327000000000000000" \
target="_blank">http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00327000000000000000</a></span><o:p></o:p></p>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Regards. <o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Dorian \
Rosse. <o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Téléchargez
<a href="https://aka.ms/ghei36" target="_blank">Outlook pour \
Android</a><o:p></o:p></p> <div class="MsoNormal" align="center" \
style="text-align:center"> <hr size="0" width="100%" align="center">
</div>
<div id="gmail-m_8124523597261988300gmail-m_8383472621630291632gmail-m_-4231191175967569610divRplyFwdMsg">
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span \
style="color:black">From:</span></b><span style="color:black"> Snort-users <<a \
href="mailto:snort-users-bounces@lists.snort.org" \
target="_blank">snort-users-bounces@lists.snort.org</a>> on behalf of Preetham \
Bomma via Snort-users <<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>><br> <b>Sent:</b> Tuesday, \
February 25, 2020 7:08:51 AM<br> <b>To:</b> Russ Combs (rucombs) <<a \
href="mailto:rucombs@cisco.com" target="_blank">rucombs@cisco.com</a>><br> \
<b>Cc:</b> <a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a> <<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>><br> <b>Subject:</b> Re: \
[Snort-users] Issues with http_* attributes</span> <o:p></o:p></p> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
</div> </div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I've \
installed Snort 2.9.15 ( latest version for Snort 2 ). I'm attaching the \
configuration and rules file for reference. The issue remains the same even with \
Snort 2.9.15.<br> <br>
The GitHub issue <a \
href="https://github.com/snort3/snort3/issues/79#issuecomment-486070883" \
target="_blank">https://github.com/snort3/snort3/issues/79#issuecomment-486070883</a> \
recommends running snort in Inline and Passive mode.<br> Can you please provide us \
the steps for the same in Snort 2.9.15 version.<o:p></o:p></p> </div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> \
<div> <div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On \
Fri, Feb 21, 2020 at 5:14 PM Russ Combs (rucombs) <<a \
href="mailto:rucombs@cisco.com" target="_blank">rucombs@cisco.com</a>> \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> <div>
<div>
<p>Preetham,<o:p></o:p></p>
<p> <o:p></o:p></p>
<p>2.9.7.0 is ancient (2014). You need to update ASAP.<o:p></o:p></p>
<p> <o:p></o:p></p>
<p>If your issue is the same as the one referenced below, that issue has the \
solution. If it is only similar, we need to know how they differ. If you \
are using the default conf, then a pcap will suffice. If you have changed the \
config, we need to see that as well.<o:p></o:p></p>
<p> <o:p></o:p></p>
<p>But that's after you update.<o:p></o:p></p>
<p> <o:p></o:p></p>
<p>Thanks<o:p></o:p></p>
<p>Russ<o:p></o:p></p>
<p> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:12.0pt;color:black">From: </span></b><span \
style="font-size:12.0pt;color:black">Snort-users <<a \
href="mailto:snort-users-bounces@lists.snort.org" \
target="_blank">snort-users-bounces@lists.snort.org</a>> on behalf of Preetham \
Bomma via Snort-users <<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>><br> <b>Reply-To: </b>Preetham \
Bomma <<a href="mailto:preethambomma@gmail.com" \
target="_blank">preethambomma@gmail.com</a>><br> <b>Date: </b>Thursday, February \
20, 2020 at 11:54 AM<br> <b>To: </b>"<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>" <<a \
href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>><br> <b>Subject: </b>[Snort-users] \
Issues with http_* attributes</span><o:p></o:p></p> </div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p style="margin-bottom:12.0pt">Hi,<o:p></o:p></p>
<p>We are trying to use http_* attributes in snort rules, specifically \
‘http_client_body' and ‘http_uri' to detect payloads in HTTP requests. Snort is \
not handling the rules which have "http_*" attributes in it. Our issue with snort is \
similar to <a href="https://github.com/snort3/snort3/issues/79" \
target="_blank">https://github.com/snort3/snort3/issues/79</a>.<br> <br>
<b>Snort version tested</b>: Version 2.9.7.0 GRE (Build 149)<br>
<b>Snort command</b> : snort -A console -Q -c /etc/snort/snort.conf -i eth0 \
-N<br> <b>OS</b>: Ubuntu 18.04<o:p></o:p></p>
<p style="margin-bottom:12.0pt"><b>Snort rule</b>: alert tcp \
any any -> any 80 (message: "testing body"; content:"EFG"; \
http_client_body;sid:100023;)<br> <br>
<b>Expected behavior</b>: Snort has to give an alert when the request body contains \
the string "EFG". <br>
<b>Actual behavior</b>: Snort does not give any alert.<br>
<br>
Thanks,<br>
Preetham<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
--===============7456919880812684788==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic