Snort mailing list archives
Re: Can't generate snort alerts with GET HTTP using pcre.
From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
Date: Mon, 4 Aug 2014 09:56:15 +0100
Hi Sabawoon, I shall try and help you with your question, but it looks like you have a number of issues with your rules that are causing you problems. The main advice I would like to offer you is: 1. When using the http_method keyword, it must come immediately after the content match you wish for it to operate on. e.g. content:"GET"; http_method; 2. Some characters within pcre matches must be escaped with a backslash for them to operate as you would want, e.g. the period (.) is a wildcard in pcre if not escaped correctly (\.). 3. Your pcre match ^[a-zA-Z]+$ is looking for a string of characters from the start of a line to the finish of a line. This will not match on a uri, because the uri will include spaces ( HTTP/1.1). Also remember that the repetition characters (+*) are greedy by default in Snort. If you are trying to raise an alert for every event that is NOT a match, then you can use negated content or pcre matches, e.g. content:!"string"; OR pcre:!"/string/si"; . But what I think you are trying to achieve is, that within character classes you can also use the caret to negate a match, e.g. [^a-zA-Z]. It goes within the square brackets. I would try something like this for what you describe: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a number passed to the id parameter"; flow:to_server,established; content:"GET"; http_method; content:"|2f|city|2e|php|3f|"; nocase; pcre:"/id\x3d[0-9]*?[^0-9]/is"; classtype:web-application-attack; sid:1000000; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a string passed to the city parameter"; flow:to_server,established; content:"GET"; http_method; content:"|2f|current|5f|time|5f|in|5f|AF|2e|aspx|3f|"; nocase; pcre:"/city\x3d[a-zA-Z]*?[^a-zA-Z]/is"; classtype:web-application-attack; sid:1000000; rev:1;) Best regards, Simon. Join our New Group on LinkedIn - "IPS Security Rules (Snort & Suricata)" Custom Snort rules made easy - http://www.ipssecurityrules.co.uk/products/easy_rules_creator.php
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Can't generate snort alerts with GET HTTP using pcre. Simon Wesseldine (Aug 04)