Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Rule assist
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Tue, 25 Jun 2013 12:08:11 -0500

Should work just fine. Usually when things should work but don't, I
automatically suspect incomplete/corrupted pcap. Trying running the pcap
again with "-k none" ?



On Tue, Jun 25, 2013 at 11:57 AM, James Lay <jlay () slave-tothe-box net>wrote:

Hey all,

So once in a while I see a compromised site that has something like the
below after an initial redirect:

GET /?1 HTTP/1.1

HTTP/1.1 302 Found

I'm trying to determine what's the best method for catching this.  Here's
what I think I understand:

http_uri would match "?1", would http_raw_uri match "/?1" or even "/?1
HTTP/1.1"?  I'd like to ideally match the entire "GET /?1 HTTP/1.1"..I've
tried matching with http_header and http_raw_header, but I've not had any
luck getting snort to fire on the pcap.  I've hexed the ? and ? as well.
 Any assistance would help...thanks all!


Emerging-sigs mailing list
Emerging-sigs () lists **emergingthreats net<Emerging-sigs () lists emergingthreats net>

Support Emerging Threats! Subscribe to Emerging Threats Pro
The ONLY place to get complete premium rulesets for all versions of
Suricata and Snort 2.4.0 through Current!

This SF.net email is sponsored by Windows:

Build for Windows Store.

Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]