Snort mailing list archives

Previous By Date Next
Previous By Thread Next

about http_inspection

From: 강명훈 <mhkang589 () gmail com>
Date: Sun, 7 Jun 2015 23:55:58 +0900
Hi, all.:)

Can anybody explain below rule?
I think match the normalized HTTP request uri by content.
And match the unnormalized HTTP request uri by pcre.
Correct?
Does http_inspect support pcre too?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
weblogic/tomcat .jsp view source attempt"; flow:to_server,established;
content:".jsp"; nocase; http_uri; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi";
metadata:service http; reference:bugtraq,2527;
classtype:web-application-attack; sid:1054; rev:10;)

-- 

*kangmyounghun.blogspot.kr <http://kangmyounghun.blogspot.kr/>*
*kr.linkedin.com/pub/myounghun-kang/74/238/93a*
<http://kr.linkedin.com/pub/myounghun-kang/74/238/93a>

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: