Re: PCRE and uricontent anchor

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

Homework! Yah!

Joel is correct you could also add 'content:"POST"; http_method;' to
only match on POST events,

Cheers,

-L0rd Ch0de1m0rt

On 3/26/10, Joel Esler <joel.esler () me com> wrote:
> Using your below example:
>
> On Mar 26, 2010, at 2:18 PM, Curt Shaffer wrote:
>
> > I am attempting to write a rule that would capture a POST event to a url
> > with a specific file. Here is an example:
> >
> > https://www.example.com/abc.aspx?id=459184950
> >
> > The id section is always different. We also want to look for any similar
> > POSTS to any address. With that in mind, here is the basis of what we came
> > up with.
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Bad stuff potentially
> going on unencrypted"; uricontent:"aspx?id="; pcre:"/aspx\?id=\d*/U";
> classtype:trojan-activity; sid:x; rev:1;)
>
>
> --
> Joel Esler
> http://blog.joelesler.net
>
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs