Snort mailing list archives
PCRE Signature Problem
From: Andrey Silversburg <andrey.silversburg () gmail com>
Date: Thu, 4 Aug 2016 13:28:16 +0700
Greetings, Snort UsersI want to detect some portion contents from HTTP form using this rule in snort, but it seems snort cannot detect it. This is my rule
*alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008; flow:to_server,established; content:"POST"; http_method; pcre:"/mouse/Usmix"; http_client_body; rev:1;)**
*I read from Snort Users Manual how to catch HTTP content but it seems snort only capture some part of the content. I try to analyze it using wireshark. CMIIW, I'm guessing there is some "whitespace" that make my PCRE rule not work. Is there any wrong rule from my rules ?.
This is from my snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.8.3 GRE (Build 383)'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.4.0 Using PCRE version: 8.37 2015-04-28 Using ZLIB version: 1.2.8
Attachment:
pcre.pcap
Description:
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PCRE Signature Problem Andrey Silversburg (Aug 03)
- Re: PCRE Signature Problem wkitty42 (Aug 04)
- Re: PCRE Signature Problem Y M (Aug 04)