Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Can't generate snort alerts with GET HTTP using pcre.

From: Sabawoon Mageedzada <sabawoon.majeedzada () gmail com>
Date: Mon, 4 Aug 2014 00:03:10 -0400
Hello Everyone,

I would appreciate if someone can help me with these rules or fix these
rules. I can't generate alerts using the snort rules bellow.

*Goal*:* A:* To generate snort alerts if HTTP GET's attribute accpets a
value which is not matched with the pcre value. Simply, I want To generate
snort alerts using HTTP GET Method with a parameter. The parameter
(index.php?paramter=something) should accept a value.  If the value does
not match the pcre pattern, it should generate alert.

B: To generate alerts if specific attribute is used with a HTTP GET
request. Say for example, I should get alerts if a get http attribute has
gets a value. For example, I should get an alert if the date is used in
here. http:/www.example.com/index.php?date=something


*Right now*, I can't alerts generated when I go the the website and pass
1223 to the "city"  attribute or a string value to the "id" attribute in
the mentioned in the rules below. It should give me alert based on the
rule. But the rule might have problem.

alert tcp any any -> any 80  (msg:"HTTP GET PACKET with
parameter";content:"/current_time_in_AF.aspx?city=" ;pcre:"/^[a-zA-Z]+$/ "
;flow:to_server,established;http_method;sid:990992;)

Or this one.
alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET";
content:"/city.php?id=" pcre:"/city.php
?id=[0-9]{1,10}/iU";​http_method;flow:to_server,established;​sid:20000011;)

Thanks,
SF

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: