Re: Can't generate alerts on HTTP GET attacks

["Simon Wesseldine" <simon.wesseldine () idappcom com>]

Hi Sabawoon,

 

I notice from the rule you have written, that you have included the percent
encoded characters (e.g.
content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjwcom%2F ";)

Depending on your configuration of Snort, the percent encoding is likely to
be normalized and you should write your rule for the normalized version of
the attack. Also check to make sure that "%2f%sf" is not being normalized to
"/".

 

Try changing you content matches to the normalized version (e.g.
content:"|2f|index|2e|php|3f|keywords|3d|http|3a 2f
2f|revftdrcghjw|2e|com|2f|";) and let Snort do the work for you.

If you wanted to be extra cautious, you could use pcre and write -
pcre:"/\x2findex\x2ephp\x3fkeywords\x3dhttp(\x253a|\x3a)(\x252f|\x2f)?revftd
rcghjw\x2ecom(\x25|\x2f)/i";

 

If this is not your intention, then maybe you should consider the keywords
'raw' in your matches.

 

hope that helps.

Best regards,

Simon.

 

Please join our new group on linkedin - IPS Security Rules (Snort &
Suricata)

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!