How to create a Snort custom rule to not allow ip in the url?



  • Hi.

    How to create a Snort custom rule to not allow ip in the url?

    http://one-domain.com <–-> allow
    http://1.2.3.4 <---> not allow

    Regards.



  • @javcasta:

    Hi.

    How to create a Snort custom rule to not allow ip in the url?

    http://one-domain.com <–-> allow
    http://1.2.3.4 <---> not allow

    Regards.

    I don't believe you can do that.  The source and destination address values in the rules must be numbers.  Variable substitution is allowed, but even then the value substituted for the variable at runtime must be numeric.  See the HOME_NET and EXTERNAL_NET variables for examples.

    No matter what you type in the URL field for your browser, the browser will convert it to the numeric IP address before sending the request out.  So your example domain name would generate a DNS lookup from your browser to get the actual IP address for the domain.  The browser would then put that IP address in the web request.  If what is typed in the URL is already a valid IP address, the DNS lookup part is skipped.  No matter, what leaves the browser destined for Snort to inspect has already been converted to a numeric IP address.

    I guess you could do some very limited content inspection on the payload of port 80 HTTP requests, but not sure that will be very effective.  And should the protocol be HTTPS instead, then content inspection by Snort won't work due to the encryption.

    Bill



  • Maybe with ???

    http://asecuritysite.com/forensics/snort?fname=webpage.pcap&rulesname=ruleip.rules

    IP address

    alert tcp any any <> any any (pcre:"/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/";
    msg:"IP address";content:"number";nocase;sid:9000003;rev:1;)


Log in to reply