RE: reading a new rule.

[Erek Adams <erek () snort org>]

On Mon, 11 Aug 2003, samwun wrote:

> I still have a problem here. I want snort detect the following
> signature:
>
> POST /index.html?crap=10601855
>
> It is in the tcp data section. How can I write a rule for it and how to
> set it up and run by snort?

Read the docs [0].  Read the current rules for an example.

> From web-misc.rules:

  alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC
  globals.pl access"; flow:to_server,established;
  uricontent:"/globals.pl";  reference:cve,CVE-2001-0330;
  reference:bugtraq,2671; classtype:web-application-activity;
  sid:2073; rev:1;)

So modify that to work for your need.

    alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC
    crap=10601855 access";  flow:to_server,established;
    uricontent:"/index.html?crap=10601855"; sid:1000001; rev:1;)

Not too hard is it?

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/writing_rules/


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users