Re: Help needed writing GET requests

["lists () packetmail net" <lists () packetmail net>]

Describe, specifically, what you want to match on and I can help.  Otherwise
your question is too generic to offer any assistance outside of:

alert tcp any any -> any any (msg:"GET to some content";
flow:established,to_server; content:"GET"; http_method; content:"some content";
pcre:"/some pattern/"; ...

Cheers,
Nathan


On 07/14/2014 01:52 PM, Sabawoon Mageedzada wrote:
> Hello Everyone,
>
> I would appreciate if someone can help me with writing a rule that helps me
> detect GET requests to a web application. I am a new b and I have tried some
> rules which did not worked. 
>
> The next step : There will be multiple GET request to a web application, and a
> dynamic rule that can detect a specific pattern inside the GET request would
> also help me. These are get request that are suspicions to web application and
> they are crafted to attack the web application. What types of attack this kind
> of scenario is ? 
>
> Also,what output module should I use for my alerts to be human reader. unified2
> and fast are all binary, I would like to have a better alert files that would
> help me read the alert files in /logs directory. 
>
> using snort 2.9.3 version. 
>
> Thanks,
> SF

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!