Snort mailing list archives
Re: How to write a snort rule match NO content GET orPOST in http request
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 25 Jul 2012 10:59:04 -0600
From: Andrew Torres [mailto:aatorres19 () gmail com] Sent: Wednesday, July 25, 2012 10:47 AM To: Lay, James Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] How to write a snort rule match NO content GET orPOST in http request I do not think that accomplishes what he is trying though, as that will simply alert when those strings are not found, not when they are not the http methods involved. The signature is possible I just can not think of a really efficient way of doing it using the http options. You can do a content match for everything but GET and POST and do a fast_pattern of HTTP/1.1 or something. Might be faster to just write individual sigs for the methods that you are concerned about. and use the http_method option in each sig rather than a contnet match. A lot of ways to solve the problem, I am just not sure which is the best. Will wait for someone more knowledge than me to chime in. On Wed, Jul 25, 2012 at 11:31 AM, Lay, James <james.lay () wincofoods com> wrote: -----Original Message----- From: Tran M. Thang [mailto:tmthang () vncert vn] Sent: Wednesday, July 25, 2012 12:33 AM To: snort-users () lists sourceforge net Subject: [Snort-users] How to write a snort rule match NO content GET orPOST in http request Hi Snort Users, Please help me to write a snort rule that matches http request with NO content GET or POST. Thanks!
From the snort manual, you can use content negation, ie content:!"Get";
Hope that helps. James I'm thinking something like: content:!"GET"; content:!"POST"; http_uri; or content:!"GET"; content:!"POST"; http_method; Perhaps? James
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to write a snort rule match NO content GET or POST in http request Tran M. Thang (Jul 24)
- Re: How to write a snort rule match NO content GET orPOST in http request Lay, James (Jul 25)
- Re: How to write a snort rule match NO content GET orPOST in http request Andrew Torres (Jul 25)
- Re: How to write a snort rule match NO content GET orPOST in http request Lay, James (Jul 25)
- Re: How to write a snort rule match NO content GET orPOST in http request Andrew Torres (Jul 25)
- Re: How to write a snort rule match NO content GET orPOST in http request Joel Esler (Jul 25)
- Re: How to write a snort rule match NO content GET orPOST in http request Alex Kirk (Jul 25)
- Re: How to write a snort rule match NO content GET orPOST in http request Andrew Torres (Jul 25)
- Re: How to write a snort rule match NO content GET orPOST in http request Lay, James (Jul 25)
- Re: How to write a snort rule match NO content GET or POST in http request Alex Kirk (Jul 26)
- Re: How to write a snort rule match NO content GET or POST in http request Shaiming Hsiung (Jul 26)
- Re: How to write a snort rule match NO content GET or POST in http request Tran M. Thang (Jul 29)
- Re: How to write a snort rule match NO content GET or POST in http request waldo kitty (Jul 30)
- Re: How to write a snort rule match NO content GET or POST in http request kay (Jul 30)