Re: Need help with snort rules

["lists () packetmail net" <lists () packetmail net>]

On 08/07/2014 12:43 PM, Sabawoon Mageedzada wrote:
> Hello everyone,
>
> I have the following rules.
>
> alert tcp any any -> any 80  (msg:"HTTP GET PACKET with
> parameter";content:"/current_time_in_AF.aspx?city=" ;pcre:"/^[a-zA-Z]+$/
> ";flow:to_server,established;http_method;sid:990992;)
>
> Or this one. 
> alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET";
> content:"/city.php?id=" pcre:"/city.php?id=[0-9]{1,10}/iU";​
> http_method;flow:to_server,established;​sid:20000011;)
>
> When visiting these websites; Random Example websites. 
>
> http://dateandtime.info/city.php?id=1138958​
>
> website for rule 1
> http://www.worldtimeserver.com/current_time_in_AF.aspx?city=Kabul

Fixed your rules.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP GET with param
Current Time"; flow:established,to_server; content:"GET"; http_method;
content:"current_time_in_AF.aspx?city="; http_uri; fast_pattern;
pcre:"/^[a-zA-Z]+$/UR"; classtype:bad-unknown; sid:x; rev:1;)

Your PCRE would never match on what you intend it to, lacks proper escapes, and
is just wrong.  Check out 'man pcresyntax'.

Cheers,
Nathan



------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!