Home page logo
/

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Rule assist
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Tue, 25 Jun 2013 12:08:11 -0500

Should work just fine. Usually when things should work but don't, I
automatically suspect incomplete/corrupted pcap. Trying running the pcap
again with "-k none" ?

Regards,

Will


On Tue, Jun 25, 2013 at 11:57 AM, James Lay <jlay () slave-tothe-box net>wrote:

Hey all,

So once in a while I see a compromised site that has something like the
below after an initial redirect:

GET /?1 HTTP/1.1
<snip>
Host: 93.171.172.179

HTTP/1.1 302 Found
<snip>
LOCATION: http://93.171.172.179/?2

I'm trying to determine what's the best method for catching this.  Here's
what I think I understand:

http_uri would match "?1", would http_raw_uri match "/?1" or even "/?1
HTTP/1.1"?  I'd like to ideally match the entire "GET /?1 HTTP/1.1"..I've
tried matching with http_header and http_raw_header, but I've not had any
luck getting snort to fire on the pcap.  I've hexed the ? and ? as well.
 Any assistance would help...thanks all!

James



______________________________**_________________
Emerging-sigs mailing list
Emerging-sigs () lists **emergingthreats net<Emerging-sigs () lists emergingthreats net>
https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net
The ONLY place to get complete premium rulesets for all versions of
Suricata and Snort 2.4.0 through Current!

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault