Snort mailing list archives
Re: Need help with Snort Rule for a HTTP GET parameter and
From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
Date: Thu, 31 Jul 2014 17:20:08 +0100
Hi Sabawoon, When you are writing your rules, be careful with formatting and putting spaces in the right place. Try this example: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET parameter"; flow:to_server,established; content:"GET"; http_method; content:"|2f|index|2e|php|3f|"; nocase; http_uri; classtype:web-application-attack; sid:1000000; rev:1;) There are a couple of other key points you should also follow when writing your rules. Try and use variables and add the port numbers to the them in the Snort.conf, it will make life a lot easier in the future and should catch more bad traffic. Also, try and add a revision number to your sids, which helps in troubleshooting many versions of one rule. I don't like to add plugs on this mailing list, a tool that will help you to write better Snort rules is available FREE from this link - http://www.ipssecurityrules.co.uk/rules/download_creator.php. Go try it out. Best regards, Simon.
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Need help with Snort Rule for a HTTP GET parameter and Simon Wesseldine (Jul 31)