带有内容的 Snort 规则 [英] Snort rules with content

问题描述

这将生成警报:

alert tcp any any <> any any (msg:"Test_A"; sid:3000001; rev:1;)

这不会:

alert tcp any any <> any any (msg:"Test_B"; content:"badurl.com"; http_header; sid:3000002; rev:1;)

我试过:fast_pattern:only;元数据:服务http；无壳；http_header;和别的.我无法让它在这个通用级别上工作.为什么内容属性不起作用的任何想法?数据包有一个 URL.

I have tried: fast_pattern:only; metadata:service http; nocase; http_header; and others. I cannot get it to work at this generic level. Any ideas why the content attribute does not work? The packet has a URL.

0000 9c d2 4b 7d 96 60 3c 15 c2 dc 48 fa 08 00 45 00 ..K}.<. ..H...E.
0010 01 5c ac 2c 40 00 40 06 cf f5 c0 a8 c8 1e 41 fe .\.,@.@. ......A. 
0020 f2 b4 dc 41 00 50 d0 e7 97 d0 ae b8 f9 ba 80 18 ...A.P.. ........
0030 ff ff da 1f 00 00 01 01 08 0a 34 03 84 d8 b7 cc ........ ..4.....
0040 3f 04 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 ?.GET / HTTP/1.1
0050 0d 0a 48 6f 73 74 3a 20 6d 79 64 6f 6d 61 69 6e ..Host: mydomain 
0060 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 .com..Us er-Agent

推荐答案

我认为正确的内容修饰符应该是 http_uri，而不是 http_header.除非您尝试捕获 Host POST 参数.

I think that the right content modifier should be http_uri, not http_header. Unless you are trying to capture the Host POST parameter.

这篇关于带有内容的 Snort 规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！