Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Rule assist
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 25 Jun 2013 13:10:41 -0400

content:"GET /?1 HTTP/1.1"; fast_pattern:only; 

is your best bet.

You could break it out like this if you want:

urilen:3; content:"GET"; http_method; content:"/?1"; http_uri; content:"HTTP/1.1"; 

"HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the problem?

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Jun 25, 2013, at 12:57 PM, James Lay <jlay () slave-tothe-box net> wrote:

Hey all,

So once in a while I see a compromised site that has something like the below after an initial redirect:

GET /?1 HTTP/1.1

HTTP/1.1 302 Found

I'm trying to determine what's the best method for catching this.  Here's what I think I understand:

http_uri would match "?1", would http_raw_uri match "/?1" or even "/?1 HTTP/1.1"?  I'd like to ideally match the 
entire "GET /?1 HTTP/1.1"..I've tried matching with http_header and http_raw_header, but I've not had any luck 
getting snort to fire on the pcap.  I've hexed the ? and ? as well.  Any assistance would help...thanks all!


Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!

This SF.net email is sponsored by Windows:

Build for Windows Store.

Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]