Snort mailing list archives
about http_inspection
From: 강명훈 <mhkang589 () gmail com>
Date: Sun, 7 Jun 2015 23:55:58 +0900
Hi, all.:) Can anybody explain below rule? I think match the normalized HTTP request uri by content. And match the unnormalized HTTP request uri by pcre. Correct? Does http_inspect support pcre too? alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; flow:to_server,established; content:".jsp"; nocase; http_uri; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; metadata:service http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:10;) -- *kangmyounghun.blogspot.kr <http://kangmyounghun.blogspot.kr/>* *kr.linkedin.com/pub/myounghun-kang/74/238/93a* <http://kr.linkedin.com/pub/myounghun-kang/74/238/93a>
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- about http_inspection 강명훈 (Jun 09)