0

This will generate an alert:

alert tcp any any <> any any (msg:"Test_A"; sid:3000001; rev:1;)

This will not:

alert tcp any any <> any any (msg:"Test_B"; content:"badurl.com"; http_header; sid:3000002; rev:1;)

I have tried: fast_pattern:only; metadata:service http; nocase; http_header; and others. I cannot get it to work at this generic level. Any ideas why the content attribute does not work? The packet has a URL.

Updated from the comments

0000 9c d2 4b 7d 96 60 3c 15 c2 dc 48 fa 08 00 45 00 ..K}.<. ..H...E.
0010 01 5c ac 2c 40 00 40 06 cf f5 c0 a8 c8 1e 41 fe .\.,@.@. ......A. 
0020 f2 b4 dc 41 00 50 d0 e7 97 d0 ae b8 f9 ba 80 18 ...A.P.. ........
0030 ff ff da 1f 00 00 01 01 08 0a 34 03 84 d8 b7 cc ........ ..4.....
0040 3f 04 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 ?.GET / HTTP/1.1
0050 0d 0a 48 6f 73 74 3a 20 6d 79 64 6f 6d 61 69 6e ..Host: mydomain 
0060 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 .com..Us er-Agent
David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
Dann
  • 1
  • 1
  • 6
  • **server_flow_depth** & **client_flow_depth** are both set to zero. – Dann Jul 02 '16 at 23:48
  • I have the above rule loaded in my `local.rules` file. It is located in the `/etc/nsm/rules/` folder. The PCAP files is on my Desktop in Security Onion. I am running the following command in terminal, which runs, but does not provide any alerts. `sudo snort -c /etc/nsm/rules/local.rules -r /path/to/Desktop/20160701.pcap -A full -l .` – Dann Jul 03 '16 at 23:44
  • Found out that it has to do with `http_header;` and HTTP Processors. – Dann Jul 04 '16 at 14:14
  • You fail to show us any of the data that you expect to match with your rules. For example, with the `http_header` modifier, you will only match that content if it actually appears in an HTTP header. – David Hoelzer Jul 16 '16 at 18:35
  • `alert tcp $HOME_NET $OPEN_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"1. Reference to evildomain.com"; flow:established,to_server; content:"POST"; http_method; content:"evildomain.com"; http_header; sid:3000005; rev:1;)` – Dann Jul 17 '16 at 20:39
  • This is a sample alert. It should narrow it down a bit for you. My issue is that when I specify the `http_header` I get no alerts. If I leave it out I get results, but the rule is now very inefficient. – Dann Jul 17 '16 at 20:42
  • And, as I said, you haven't shown us any packets. From what you describe it sounds almost certain that what you're looking for isn't in a header field. – David Hoelzer Jul 18 '16 at 10:08
  • If I could upload a pcap file I would. – Dann Jul 19 '16 at 23:41
  • You could paste in the hex with the ascii decode or just the reassembled stream. – David Hoelzer Jul 20 '16 at 00:22
  • `0000 9c d2 4b 7d 96 60 3c 15 c2 dc 48 fa 08 00 45 00 ..K}.`<. ..H...E. 0010 01 5c ac 2c 40 00 40 06 cf f5 c0 a8 c8 1e 41 fe .\.,@.@. ......A. 0020 f2 b4 dc 41 00 50 d0 e7 97 d0 ae b8 f9 ba 80 18 ...A.P.. ........ 0030 ff ff da 1f 00 00 01 01 08 0a 34 03 84 d8 b7 cc ........ ..4..... 0040 3f 04 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 ?.GET / HTTP/1.1 0050 0d 0a 48 6f 73 74 3a 20 6d 79 64 6f 6d 61 69 6e ..Host: mydomain 0060 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 .com..Us er-Agent` – Dann Jul 20 '16 at 22:59
  • `alert tcp $HOME_NET $OPEN_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"1. Reference to mydomain.com"; flow:established,to_server; content:"POST"; http_method; content:"mydomain.com"; http_header; sid:3000005; rev:1;)` – Dann Jul 20 '16 at 23:02
  • I am trying to format it 
    . Not working. Sorry.
     – Dann Jul 22 '16 at 01:55
  • `ipvar HOME_NET [192.168.200.0/24]` `ipvar EXTERNAL_NET any` `portvar HTTP_PORTS [80,81,8080,8888]` `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Not working Reference to mydomain.com"; flow:established,to_server; content:"mydomain.com"; http_header; sid:3000005; rev:1;)` `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Working Reference to mydomain.com"; flow:established,to_server; content:"mydomain.com"; sid:3000006; rev:1;)` – Dann Jul 22 '16 at 02:05
  • I get one alert from the two rules above. [**] [1:3000006:1] Working Reference to mydomain.com [**] [Priority: 0] 07/04-17:24:23.950990 192.168.200.30:56385 -> 65.254.242.180:80 TCP TTL:64 TOS:0x0 ID:44076 IpLen:20 DgmLen:348 DF ***AP*** Seq: 0xD0E797D0 Ack: 0xAEB8F9BA Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 872645848 3083616004 – Dann Jul 22 '16 at 02:06
  • Here is the terminal command I am using: `snort -c 20160704.rules -r 20160704.pcap -k none -A full -l .` – Dann Jul 22 '16 at 02:21

2 Answers2

0

The rule that you have provided will never fire with the example packet that you have provided. You have used a content:"POST"; with a http_method modifier but you are attempting to match a packet that is a GET request.

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
0

I think that the right content modifier should be http_uri, not http_header. Unless you are trying to capture the Host POST parameter.

eugenioperez
  • 627
  • 7
  • 15