Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Setting up a rule for a repeating pattern

From: Gurgen Hakobyan <hakobyan () outlook com>
Date: Tue, 22 Mar 2016 00:03:48 +0000
Hi,

I need to setup a rule that would detect a repetition of headers within a HTTP session. 

Only initial headers have to be examined (not the content), so we are not going to process huge amounts of data. I want 
to detect anything that sends two of same headers (say 2 POST requess, etc.). The repetitions are not necessarily 
successive..

How is that possible using Snort rules syntax? If I use command like 

alert tcp any any -> any any (msg:”Secret traffic"; pcre:”/USERNAME|PASSWORD/i"; sid:666; rev:1;)

it will detect the pattern once, but how do I repeat it?

Thanks,
Gurgen
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: