RE: [Snort-inline-users] uricontent matching v2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Rob McMillen wrote:-
>
> I would recommend we do our troubleshooting by removing as much
> complexity as possible; therefore, can we verify that snort (NOT
> snort_inline) with the http_inspect preproc will decode and alert on
> uricontent first?
>
> Thanks in advance,
>
> Rob
>
> P.S.  my apologies for not doing it myself, but I am trying to meet a
> deadline with another project.

Rob,
	I can confirm that snort 2.1.1 and 2.1.2 both alert on uricontent with the
http_inspect preprocessor.  just had in an alert on sid 1852 -  alert tcp
$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt
access"; flow:to_server,established; uricontent:"/robots.txt"; nocase;
reference:nessus,10302; classtype:web-application-activity; sid:1852;
rev:3;)

Preprocessor configuration for the sensor that received the alert above as
follows:-

#
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global    iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default    profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor perfmonitor: pktcnt 1 file /var/log/snort/red.stats time 60
#

regards,
Brian