Re: How to write a snort rule match NO content GET orPOST in http request

[Andrew Torres <aatorres19 () gmail com>]

This should probably work :-)


content:!”GET”; content:!”POST”; http_method;****


On Wed, Jul 25, 2012 at 11:59 AM, Lay, James <james.lay () wincofoods com>wrote:

> ** **
>
> ** **
>
> *From:* Andrew Torres [mailto:aatorres19 () gmail com]
> *Sent:* Wednesday, July 25, 2012 10:47 AM
> *To:* Lay, James
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] How to write a snort rule match NO content
> GET orPOST in http request****
>
> ** **
>
> I do not think that accomplishes what he is trying though, as that will
> simply alert when those strings are not found, not when they are not the
> http methods involved. The signature is possible I just can not think of a
> really efficient way of doing it using the http options. You can do a
> content match for everything but GET and POST and do a fast_pattern of
> HTTP/1.1 or something. Might be faster to just write individual sigs for
> the methods that you are concerned about. and use the http_method option in
> each sig rather than a contnet match. A lot of ways to solve the problem, I
> am just not sure which is the best. Will wait for someone more knowledge
> than me to chime in. ****
>
> On Wed, Jul 25, 2012 at 11:31 AM, Lay, James <james.lay () wincofoods com>
> wrote:****
>
> -----Original Message-----
> From: Tran M. Thang [mailto:tmthang () vncert vn]
> Sent: Wednesday, July 25, 2012 12:33 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] How to write a snort rule match NO content GET
> orPOST in http request
>
> Hi Snort Users,
>
> Please help me to write a snort rule that matches http request with NO
> content GET or POST.
>
> Thanks!
>
>
> ****
>
> > From the snort manual, you can use content negation, ie content:!"Get";
>
> Hope that helps.
>
> James****
>
> ** **
>
> ** **
>
> I’m thinking something like:****
>
> ** **
>
> content:!”GET”; content:!”POST”; http_uri;****
>
> ** **
>
> or****
>
> ** **
>
> content:!”GET”; content:!”POST”; http_method;****
>
> ** **
>
> Perhaps?****
>
> ** **
>
> James****
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!