Snort mailing list archives
Re: Need help with Snort Rule for a HTTP GET parameter and pattern matching.
From: Y M <snort () outlook com>
Date: Thu, 31 Jul 2014 12:55:02 +0000
Date: Thu, 31 Jul 2014 08:46:58 -0400 From: sabawoon.majeedzada () gmail com To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] Need help with Snort Rule for a HTTP GET parameter and pattern matching. Hello Everyone, I would appreciate if anyone can help me out with my snort rule. I would like generate a snort rule that can detected a HTTP get paramter. Example: below alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET"; content:"/index.php?action=";http_method;sid:20000011;) * The http_method content modifier should refer to the "GET" content match and the URI content match. So a modified version of you rule:alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET"; http_method; content:"/index.php?action=";http_uri;sid:20000011;) Right now when I type in http://www.example.com/index.php?action=login I do not get a alert generated using the rule above. Or how to detect if GET HTTP method with a specific parameter been used or passed a value. Secondly, how to write a simple pattern that can detect a specific string or number pattern has been passed to this GET parameter. Just a example pattern guidance would be nice. * I am not sure what you mean here, but I am guessing something along the lines of a url query parameter? Thanks,SF ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Need help with Snort Rule for a HTTP GET parameter and pattern matching. Sabawoon Mageedzada (Jul 31)
- Re: Need help with Snort Rule for a HTTP GET parameter and pattern matching. Y M (Jul 31)