Snort custom rule not working (content:"GET")

[Konrad Uminski]

Hi,
I created a standalone VM server (security onion) and I did my usual test to testmyids.com
I received an alert.
Then I wrote a test rule:
alert TCP any any -> any any (msg:"Test"; sid: 9010101; rev:1;)
I did a random google search
several alerts went off.

Then I wrote third rule
alert $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Get test rule"; content:"GET"; sid:9010102; rev:1;)
then I went to http://dlptest.com/http-post/
no alert.
Not sure why, the rule is fairly simple, I pulled the traffic in wireshark, and filtered http.request.method and there was the packet with a GET request.

Any help would be appreciated.

I also tried adding the flags of nocase; and http_method; to the rule and no results.

[Wes]

Konrad,

You may want to try taking a look at the following as an example:
https://stackoverflow.com/questions/28395370/snort-rule-to-detect-http-flood

Thanks,
Wes

[Kevin Branch]

Your GET rule is missing the protocol field ('tcp' in this case).  Try this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Get test rule"; content:"GET"; sid:9010102; rev:1;)

When you add a custom rule and it does not seem to be working, it may be getting skipped by Snort or Suricata due to a parsing error.  Check your appropriate snort/suricata log to see if that is what you are dealing with.

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.