Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Setting up a rule for a repeating pattern

From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Mon, 21 Mar 2016 20:09:44 -0400
Hi Gurgen,

You might use the following strategy for detecting a repeating "POST"

content:"POST "; depth:5; content:"POST "; distance:0;

This will enter on the raw buffer and look for an additional "POST "
following the first content match.

On Mon, Mar 21, 2016 at 8:03 PM, Gurgen Hakobyan <hakobyan () outlook com>
wrote:


Hi,

I need to setup a rule that would detect a repetition of headers within a
HTTP session.

Only initial headers have to be examined (not the content), so we are not
going to process huge amounts of data. I want to detect anything that sends
two of same headers (say 2 POST requess, etc.). The repetitions are not
necessarily successive..

How is that possible using Snort rules syntax? If I use command like

alert tcp any any -> any any (msg:”Secret traffic";
pcre:”/USERNAME|PASSWORD/i"; sid:666; rev:1;)

it will detect the pattern once, but how do I repeat it?

Thanks,
Gurgen

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: