Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can't generate snort alerts with GET HTTP using pcre.

From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
Date: Mon, 4 Aug 2014 09:56:15 +0100
Hi Sabawoon,

 

I shall try and help you with your question, but it looks like you have a
number of issues with your rules that are causing you problems. The main
advice I would like to offer you is:

 

1.       When using the http_method keyword, it must come immediately after
the content match you wish for it to operate on. e.g. content:"GET";
http_method;

2.       Some characters within pcre matches must be escaped with a
backslash for them to operate as you would want, e.g. the period (.) is a
wildcard in pcre if not escaped correctly (\.).

3.       Your pcre match ^[a-zA-Z]+$ is looking for a string of characters
from the start of a line to the finish of a line. This will not match on a
uri, because the uri will include spaces ( HTTP/1.1). Also remember that the
repetition characters (+*) are  greedy by default in Snort.

 

If you are trying to raise an alert for every event that is NOT a match,
then you can use negated content or pcre matches, e.g. content:!"string"; OR
pcre:!"/string/si"; . But what I think you are trying to achieve is, that
within character classes you can also use the caret to negate a match, e.g.
[^a-zA-Z]. It goes within the square brackets.

 

I would try something like this for what you describe:

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a
number passed to the id parameter"; flow:to_server,established;
content:"GET"; http_method; content:"|2f|city|2e|php|3f|"; nocase;
pcre:"/id\x3d[0-9]*?[^0-9]/is"; classtype:web-application-attack;
sid:1000000; rev:1;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a
string passed to the city parameter"; flow:to_server,established;
content:"GET"; http_method;
content:"|2f|current|5f|time|5f|in|5f|AF|2e|aspx|3f|"; nocase;
pcre:"/city\x3d[a-zA-Z]*?[^a-zA-Z]/is"; classtype:web-application-attack;
sid:1000000; rev:1;)

 

 

Best regards,

Simon.

 

Join our New Group on LinkedIn - "IPS Security Rules (Snort & Suricata)"

Custom Snort rules made easy -
http://www.ipssecurityrules.co.uk/products/easy_rules_creator.php


------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: