09-25-2006 01:10 PM - edited 03-10-2019 03:14 AM
Hi,
I would like to create a signature which fires when a server reports HTTP Not found.
For testing purposes I have used space ([\x20]) for matching regexp. It does not work. When I
set the direction from "from-service" to "to-service" it works. Does someone have an idea?
There are no filters.
The signature is the following:
sig-id: 60008
subsig-id: 0
-----------------------------------------------
alert-severity: medium default: medium
sig-fidelity-rating: 100 default: 75
promisc-delta: 10 default: 0
sig-description
-----------------------------------------------
sig-name: HTTP not found v2 default: My Sig
sig-string-info: HTTP not found default: My Sig Info
sig-comment: Sig Comment default: Sig Comment
alert-traits: 0 default: 0
release: custom default: custom
-----------------------------------------------
engine
-----------------------------------------------
string-tcp
-----------------------------------------------
event-action: produce-alert default: produce-alert
strip-telnet-options: false default: false
specify-min-match-length
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
regex-string: [\x20]
service-ports: 80
direction: from-service default: to-service
specify-exact-match-offset
-----------------------------------------------
no
-----------------------------------------------
specify-max-match-offset
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-min-match-offset
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
swap-attacker-victim: false default: false
-----------------------------------------------
-----------------------------------------------
event-counter
-----------------------------------------------
event-count: 1 default: 1
event-count-key: Axxx default: Axxx
specify-alert-interval
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
09-25-2006 01:19 PM
The "from-service" just means the signature fires when the source port is 80. The default, "to-service", fires only if you are connecting to a destination port of 80. Basically the "from-service" fires on return web traffic only, which is what should happen. Not sure why they made the default "to-service" (doesn't make much sense).
09-25-2006 10:46 PM
Yes, you are right. I want to check traffic ("Not found") in packetes which source port is tcp/80. I think "from-service" should be used as seen in the config. (I hope default: to-service just means that the default setting is to-service, but now the setting is "from-service")
09-26-2006 07:15 AM
Take a look at 6256-0 for an example of how Cisco does this. That signature detects HTTP status code 401. Clone and change to 404 and you're in business. You'll want to tweak the event count and alert frequency settings of course.
09-26-2006 08:37 AM
Thank you very much, it works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: