Re: Need help with Snort Rule for a HTTP GET parameter and

["Simon Wesseldine" <simon.wesseldine () idappcom com>]

Hi Sabawoon,

 

When you are writing your rules, be careful with formatting and putting
spaces in the right place.

Try this example:

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET
parameter"; flow:to_server,established; content:"GET"; http_method;
content:"|2f|index|2e|php|3f|"; nocase; http_uri;
classtype:web-application-attack; sid:1000000; rev:1;)

 

There are a couple of other key points you should also follow when writing
your rules. Try and use variables and add the port numbers to the them in
the Snort.conf, it will make life a lot easier in the future and should
catch more bad traffic. Also, try and add a revision number to your sids,
which helps in troubleshooting many versions of one rule.

 

I don't like to add plugs on this mailing list, a tool that will help you to
write better Snort rules is available FREE from this link -
http://www.ipssecurityrules.co.uk/rules/download_creator.php.

Go try it out.

 

Best regards,

Simon.

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!