Snort mailing list archives
Re: PCRE and uricontent anchor
From: Joel Esler <joel.esler () me com>
Date: Fri, 26 Mar 2010 14:41:41 -0400
I am assuming that the 443 was an example. Or maybe he's looking for http traffic over 443 because it's outbound and an "infected machine" is communicating with 443 outbound because its rarely blocked. J On Mar 26, 2010, at 2:40 PM, Finney Charles E wrote:
Is this stream not encrypted? To what purpose will running pcre against it serve? Charlie in Iowa -----Original Message----- From: Joel Esler [mailto:joel.esler () me com] Sent: Friday, March 26, 2010 1:26 PM To: Curt Shaffer Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] PCRE and uricontent anchor Using your below example: On Mar 26, 2010, at 2:18 PM, Curt Shaffer wrote:I am attempting to write a rule that would capture a POST event to a url with a specific file. Here is an example: https://www.example.com/abc.aspx?id=459184950 The id section is always different. We also want to look for any similar POSTS to any address. With that in mind, here is the basis of what we came up with.alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Bad stuff potentially going on unencrypted"; uricontent:"aspx?id="; pcre:"/aspx\?id=\d*/U"; classtype:trojan-activity; sid:x; rev:1;) -- Joel Esler http://blog.joelesler.net ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Joel Esler http://blog.joelesler.net ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor L0rd Ch0de1m0rt (Mar 26)
- Re: PCRE and uricontent anchor Finney Charles E (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor evejou (Mar 26)
- Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)