Snort mailing list archives
Setting up a rule for a repeating pattern
From: Gurgen Hakobyan <hakobyan () outlook com>
Date: Tue, 22 Mar 2016 00:03:48 +0000
Hi, I need to setup a rule that would detect a repetition of headers within a HTTP session. Only initial headers have to be examined (not the content), so we are not going to process huge amounts of data. I want to detect anything that sends two of same headers (say 2 POST requess, etc.). The repetitions are not necessarily successive.. How is that possible using Snort rules syntax? If I use command like alert tcp any any -> any any (msg:”Secret traffic"; pcre:”/USERNAME|PASSWORD/i"; sid:666; rev:1;) it will detect the pattern once, but how do I repeat it? Thanks, Gurgen ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Setting up a rule for a repeating pattern Gurgen Hakobyan (Mar 21)
- Re: Setting up a rule for a repeating pattern Geoffrey Serrao (Mar 21)