Snort mailing list archives
Re: Can't generate alerts on HTTP GET attacks
From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
Date: Thu, 3 Jul 2014 09:21:05 +0100
Hi Sabawoon, I notice from the rule you have written, that you have included the percent encoded characters (e.g. content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjwcom%2F ";) Depending on your configuration of Snort, the percent encoding is likely to be normalized and you should write your rule for the normalized version of the attack. Also check to make sure that "%2f%sf" is not being normalized to "/". Try changing you content matches to the normalized version (e.g. content:"|2f|index|2e|php|3f|keywords|3d|http|3a 2f 2f|revftdrcghjw|2e|com|2f|";) and let Snort do the work for you. If you wanted to be extra cautious, you could use pcre and write - pcre:"/\x2findex\x2ephp\x3fkeywords\x3dhttp(\x253a|\x3a)(\x252f|\x2f)?revftd rcghjw\x2ecom(\x25|\x2f)/i"; If this is not your intention, then maybe you should consider the keywords 'raw' in your matches. hope that helps. Best regards, Simon. Please join our new group on linkedin - IPS Security Rules (Snort & Suricata)
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Can't generate alerts on HTTP GET attacks Sabawoon Mageedzada (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Ryan (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks Y M (Jul 02)
- Re: Can't generate alerts on HTTP GET attacks rmkml (Jul 02)
- <Possible follow-ups>
- Re: Can't generate alerts on HTTP GET attacks Simon Wesseldine (Jul 03)
- Re: Can't generate alerts on HTTP GET attacks Nicholas Mavis (nmavis) (Jul 08)