--- /dev/null
+alert tcp any 80 -> any any (msg:"no1"; flow:to_client,established; content:"WWW-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000000; rev:1;)
+alert tcp any 80 -> any any (msg:"ok1"; flow:to_client,established; content:"Www-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000001; rev:1;)
+alert tcp any 80 -> any any (msg:"ok2"; flow:to_client,established; content:"WWW-Authenticate\:"; nocase; classtype:web-application-activity; sid:9000002; rev:1;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ alert:
+ action: allowed
+ category: access to a potentially vulnerable web application
+ gid: 1
+ rev: 1
+ severity: 2
+ signature: no1
+ signature_id: 9000000
+ app_proto: http
+ dest_ip: 10.100.0.8
+ dest_port: 44270
+ event_type: alert
+ flow:
+ bytes_toclient: 2295
+ bytes_toserver: 1036
+ pkts_toclient: 7
+ pkts_toserver: 7
+ start: 2009-02-23T13:23:33.331321+0000
+ http:
+ hostname: www.abcdefghij.com
+ http_content_type: text/html
+ http_method: GET
+ http_refer: http://www.abcdefghij.com/abdeltat/login
+ http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
+ Firefox/3.0.6
+ length: 1483
+ protocol: HTTP/1.1
+ status: 401
+ url: /publication/pub.home/home.html
+ pcap_cnt: 14
+ proto: TCP
+ src_ip: 162.2.41.200
+ src_port: 80
+- filter:
+ count: 1
+ match:
+ alert:
+ action: allowed
+ category: access to a potentially vulnerable web application
+ gid: 1
+ rev: 1
+ severity: 2
+ signature: ok1
+ signature_id: 9000001
+ app_proto: http
+ dest_ip: 10.100.0.8
+ dest_port: 44270
+ event_type: alert
+ flow:
+ bytes_toclient: 2295
+ bytes_toserver: 1036
+ pkts_toclient: 7
+ pkts_toserver: 7
+ start: 2009-02-23T13:23:33.331321+0000
+ http:
+ hostname: www.abcdefghij.com
+ http_content_type: text/html
+ http_method: GET
+ http_refer: http://www.abcdefghij.com/abdeltat/login
+ http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
+ Firefox/3.0.6
+ length: 1483
+ protocol: HTTP/1.1
+ status: 401
+ url: /publication/pub.home/home.html
+ pcap_cnt: 14
+ proto: TCP
+ src_ip: 162.2.41.200
+ src_port: 80
+- filter:
+ count: 1
+ match:
+ alert:
+ action: allowed
+ category: access to a potentially vulnerable web application
+ gid: 1
+ rev: 1
+ severity: 2
+ signature: ok2
+ signature_id: 9000002
+ app_proto: http
+ dest_ip: 10.100.0.8
+ dest_port: 44270
+ event_type: alert
+ flow:
+ bytes_toclient: 2295
+ bytes_toserver: 1036
+ pkts_toclient: 7
+ pkts_toserver: 7
+ start: 2009-02-23T13:23:33.331321+0000
+ http:
+ hostname: www.abcdefghij.com
+ http_content_type: text/html
+ http_method: GET
+ http_refer: http://www.abcdefghij.com/abdeltat/login
+ http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
+ Firefox/3.0.6
+ length: 1483
+ protocol: HTTP/1.1
+ status: 401
+ url: /publication/pub.home/home.html
+ pcap_cnt: 14
+ proto: TCP
+ src_ip: 162.2.41.200
+ src_port: 80
+- filter:
+ count: 1
+ match:
+ dest_ip: 162.2.41.200
+ dest_port: 80
+ event_type: http
+ http:
+ hostname: www.abcdefghij.com
+ http_content_type: text/html
+ http_method: GET
+ http_refer: http://www.abcdefghij.com/abdeltat/login
+ http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
+ Firefox/3.0.6
+ length: 1483
+ protocol: HTTP/1.1
+ status: 401
+ url: /publication/pub.home/home.html
+ pcap_cnt: 14
+ proto: TCP
+ src_ip: 10.100.0.8
+ src_port: 44270
+ tx_id: 0
+- filter:
+ count: 1
+ match:
+ app_proto: http
+ dest_ip: 10.100.0.8
+ dest_port: 44270
+ event_type: fileinfo
+ fileinfo:
+ filename: /publication/pub.home/home.html
+ gaps: false
+ sid: []
+ size: 1483
+ state: CLOSED
+ stored: false
+ tx_id: 0
+ http:
+ hostname: www.abcdefghij.com
+ http_content_type: text/html
+ http_method: GET
+ http_refer: http://www.abcdefghij.com/abdeltat/login
+ http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912
+ Firefox/3.0.6
+ length: 1483
+ protocol: HTTP/1.1
+ status: 401
+ url: /publication/pub.home/home.html
+ pcap_cnt: 14
+ proto: TCP
+ src_ip: 162.2.41.200
+ src_port: 80
+- filter:
+ count: 1
+ match:
+ app_proto: http
+ dest_ip: 162.2.41.200
+ dest_port: 80
+ event_type: flow
+ flow:
+ age: 0
+ alerted: true
+ bytes_toclient: 2295
+ bytes_toserver: 1036
+ end: 2009-02-23T13:23:33.589165+0000
+ pkts_toclient: 7
+ pkts_toserver: 7
+ reason: shutdown
+ start: 2009-02-23T13:23:33.331321+0000
+ state: closed
+ proto: TCP
+ src_ip: 10.100.0.8
+ src_port: 44270
+ tcp:
+ ack: true
+ fin: true
+ psh: true
+ state: closed
+ syn: true
+ tcp_flags: 1b
+ tcp_flags_tc: 1b
+ tcp_flags_ts: 1b
projects / thirdparty / suricata-verify.git / commitdiff
