Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCRE Signature Problem

From: wkitty42 () windstream net
Date: Thu, 4 Aug 2016 11:40:03 -0400
On 08/04/2016 02:28 AM, Andrey Silversburg wrote:

Greetings, Snort Users

I want to detect some portion contents from HTTP form using this rule in snort,
but it seems snort cannot detect it. This is my rule

*alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008;
flow:to_server,established; content:"POST"; http_method; pcre:"/mouse/Usmix";
http_client_body; rev:1;)**
*


why are you using a "pcre" for that? what is wrong with just plain "content"?


alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008; 
flow:to_server,established; content:"POST"; http_method; content:"/mouse/Usmix"; 
http_client_body; rev:1;)


OR


alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008; 
flow:to_server,established; content:"POST"; http_method; content:"/mouse/Usmix"; 
rev:1;)


the above are untested... the below email signature is fully tested...
-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: