1

I am trying to understand writing rules for snort. Further goal is detection of sql injections like here.

I've read the documentation of snort rules and created this rule:

alert tcp any any -> any 80 (msg:"SQL Injection - Paranoid"; content:".php"; http_raw_header; sid:51233333;)

within /etc/snort/rules/mysql.rules which is refenced from /etc/snort/snort.conf. I was expecting that this rule should alert every single call of a php, but nothing was going to be logged. I also tried http_header and http_uri instead of http_raw_header. I call snort like this:

sudo snort -A console -c /etc/snort/snort.conf

Could someone tell me please how to log every call of a ".php" through HTTP? Then I am able to go on with the next steps.

Futher information about my enviroment: Snort is running within a virtual box with ubuntu 15.04 as OS. Network is bridged and promiscuous mode enabled for all VMs. Within the same VM is running a XAMPP Server with mutillidae which should be attacked. If you need further information let me know! Any advice would be appreciated! Thank you!

Jan
  • 111
  • 3
  • your snort rule will alert when you download a .php file, not when php runs on the page – schroeder Jun 13 '15 at 05:47
  • I've tried it with a direct download (Save as...) from firefox and with wget. Even changed *.php* to *body* whichs means (if I got you right) it should alert on nearly every HTML Page download. Nothing happened so far. But Snort is claiming about some UPnP scans and Bad Traffic but not my message. And snort binds to the right interface et0 (just have eth0 and lo) – Jan Jun 13 '15 at 08:40
  • Well I found another simple rule [here](http://security.stackexchange.com/questions/15238/testing-snort-ids-installation?rq=1) which works for me. That lead me to change my rule to: ´alert tcp any any -> any 80 (msg: "Hello world!"; content: "php"; sid:51233333;)´ which does exactly what I expected but why doesn't it work with *http_raw_header* and *http_uri*? – Jan Jun 13 '15 at 09:07

1 Answers1

1

Not sure how helpful this is but have you tried 

<?php

as your content rather. [Untested] I've only personally setup TCP DDoS blocks using snort+snortsam for uni project.

Also check you have defined correct NIC in conf file.

Hope someone can give you a more direct answer.

Altan
  • 11
  • 1