Snort rule failing to alert to log
Question
I am writing a custom rule for the following exploit: http://www.exploit-db.com/exploits/36100/
I have ran the exploit, and the packet I am writing the rule around can be seen here: http://txt.do/cxgb
This is the current rule I am using:
alert tcp any any -> any any (msg:"X360 VideoPlayer ActiveX Control Buffer Overflow"; flow:to_server,established; content:"\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20\x81\xc4\x30\xf8\xff\xff"; fast_pattern; http_client_body; metadata: service http; sid:1000007; rev:1;)
However, Snort is failing to alert on this. Can anybody see why? Thanks in advance.
1 answers
solution1
1 ACCPTED 2015-03-11 14:02:42
As you mentioned in your comment, since you don't have a port specified snort won't treat the traffic as http and therefore will not populate the http buffers. Since this is the case you need to remove the http content modifier because this will never match. Take out the "http_client_body".
To match the literal character \\ you need to escape it with a \\ for example "\\\\x64"
Also, this content is going from server to client (it's serving an http page). You need to change the flow to "flow: to_client, established"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.