Search code examples
snortintrusion-detection

Snort rule failing to alert to log


I am writing a custom rule for the following exploit: http://www.exploit-db.com/exploits/36100/

I have ran the exploit, and the packet I am writing the rule around can be seen here: http://txt.do/cxgb

This is the current rule I am using:

alert tcp any any -> any any (msg:"X360 VideoPlayer ActiveX Control Buffer Overflow"; flow:to_server,established; content:"\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20\x81\xc4\x30\xf8\xff\xff"; fast_pattern; http_client_body; metadata: service http; sid:1000007; rev:1;)  

However, Snort is failing to alert on this. Can anybody see why? Thanks in advance.


Solution

  • As you mentioned in your comment, since you don't have a port specified snort won't treat the traffic as http and therefore will not populate the http buffers. Since this is the case you need to remove the http content modifier because this will never match. Take out the "http_client_body".

    To match the literal character \ you need to escape it with a \ for example "\\x64"

    Also, this content is going from server to client (it's serving an http page). You need to change the flow to "flow: to_client, established"