I am trying to understand writing rules for snort. Further goal is detection of sql injections like here.
I've read the documentation of snort rules and created this rule:
alert tcp any any -> any 80 (msg:"SQL Injection - Paranoid"; content:".php"; http_raw_header; sid:51233333;)
within /etc/snort/rules/mysql.rules which is refenced from /etc/snort/snort.conf. I was expecting that this rule should alert every single call of a php, but nothing was going to be logged. I also tried http_header
and http_uri
instead of http_raw_header
.
I call snort like this:
sudo snort -A console -c /etc/snort/snort.conf
Could someone tell me please how to log every call of a ".php" through HTTP? Then I am able to go on with the next steps.
Futher information about my enviroment: Snort is running within a virtual box with ubuntu 15.04 as OS. Network is bridged and promiscuous mode enabled for all VMs. Within the same VM is running a XAMPP Server with mutillidae which should be attacked. If you need further information let me know! Any advice would be appreciated! Thank you!