[Snort-devel] what about anti-rules and whatnot?

Martin Roesch roesch at ...48...
Sat Apr 7 02:43:18 EDT 2001


Max wrote:
>  cgi exploits (identifying that a request is a cgi, not referer, etc)

Ok, I coded this one and it's in CVS...

The keyword is "uricontent" and it works just like regular content with
the only difference being that if the http_decode preprocessor is
activated the URI section of the packet will be located and and searched
instead of searching the entire payload.  There's some pretty nasty tie
in's between the pattern matcher, http_decode plugin, and the decoder,
but I figure it's all in good fun (and you don't have to use it if you
don't want).

FYI, if the http_decode plugin isn't turned on, it'll act just like the
normal content rule...

Sample config:

preprocessor http_decode: 80 1080 8080 3128

alert tcp any any -> $HOME_NET 80 (uricontent: "phf"; msg: "PHF
attack!";)

   -Marty

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list