Need help with basic Snort rule to dectect string in a web page
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help with basic Snort rule to dectect string in a web page
I have the rule:
alert ip any any -> any any (msg: "Test String"; flow: to_client,established; content:"teststring"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; sid: 2001351; rev:6
But it is not alerting went i bring up a test html page with "teststring" inside of it.
That protocol hierarchy is with respect to networks
but r u sure that when u mention ip, snort is going to check the payload of the inner level protocols like tcp, udp, icmp, http, ftp, smtp etc.........
.
Last edited by chakka.lokesh; 05-27-2008 at 04:05 AM.
That protocol hierarchy is with respect to networks
but r u sure that when u mention ip, snort is going to check the payload of the inner level protocols like tcp, udp, icmp, http, ftp, smtp etc.........
.
Nope, I'm not sure
And I think you're right, its not checking the whole payload, it didn't check it with tcp either, and it won't let me use http:
snort[17134]: FATAL ERROR: /etc/snort/rules/creditcard.rules(14) => Bad protocol: http
Didn't work, I even tried a rule for asdf and make a .html page containing only asdf, not even <html>
I think this has to do something with the http_inspect or stream5 preprocessors in the snort.conf file.
This is what I have:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } \
oversize_dir_length 500 \
flow_depth 0
Do I need to add something to tell it to reassemble packets with stream5 both ways on port 80?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.