Snort rule to verify content of an http request doesnt work

Question

I am trying to verify the contents of the http response to find a content "abbb" in it.So my rule was

alert tcp MY_SERVER HTTP_PORTS -> any any(msg:"The page accessed has content abbb";to_client; established; content:"abb";sid:XXXXX; rev:x;)

unfortunately this rule seems not to work. Can anyone please tell if there is some issue with my rule.

Answer 1

For starters you need to fix the to_client part of the rule as this is not valid syntax. You will need to change this to be:

flow:to_client,established;

You can find more on flow here.

If you are just looking for the content "abbb" sent from your server to the client then you just need a simple content match like you have. I recommend using the fast pattern matcher here to improve the efficiency of the rule. So your content match would look something like:

content:"abbb"; fast_pattern:only;

Putting this together, your rule might look something like:

alert tcp MY_SERVER HTTP_PORTS -> any any(msg:"The page accessed has content abbb"; flow:to_client,established; content:"abbb"; fast_pattern:only; sid:XXXXX; rev:x;)

If this still isn't triggering then there is probably something else going on. Since you are just looking for this in the content you need to check your inspection depth in the http preprocessor. There is a server_flow_depth and a client_flow_depth. Try setting these to 0 (unlimited) and see if your rule is triggering after. For example if you had a client_flow_depth of 300 and the content "abbb" didn't come until after 500 bytes then the rule is never going to trigger because snort isn't configured to inspect that far into the payload.

If you have adaptive profiling enabled then you need to add the metadata service for http otherwise the rule won't match http traffic. This would look something like:

metadata:service http;

If you don't use adaptive profiling then it will use the ports in the rule header.