Snort mailing list archives

Need help with Snort Rule for a HTTP GET parameter and pattern matching.

From: Sabawoon Mageedzada <sabawoon.majeedzada () gmail com>
Date: Thu, 31 Jul 2014 08:46:58 -0400

Hello Everyone,

I would appreciate if anyone can help me out with my snort rule.

I would like generate a snort rule that can detected a HTTP get paramter.
Example: below

alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET";
content:"/index.php?action=";http_method;sid:20000011;)

Right now when I type in http://www.example.com/index.php?action=login I do
not get a alert generated using the rule above.

Or how to detect if GET HTTP method with a specific parameter been used or
passed a value.

Secondly, how to write a simple pattern that can detect a specific string
or number pattern has been passed to this GET parameter. Just a example
pattern guidance would be nice.

Thanks,
SF

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Need help with Snort Rule for a HTTP GET parameter and pattern matching. Sabawoon Mageedzada (Jul 31)
- Re: Need help with Snort Rule for a HTTP GET parameter and pattern matching. Y M (Jul 31)