[Snort-devel] writing rules for web applications
cmg at ...402...
Wed May 8 09:05:56 EDT 2002
I'm going to be adding support to futher decode web applications
futher down the application layer and after talking to rfp & HD Moore
and I'm trying to come up with a suitable way to do this from a rules
will *only* look for the cgi name before
a ? in the string.
uriparam: "key", "pattern", <flavor>
key: is the CGI argument
pattern: the (optional?) pattern to check for
method: decoding strategy to take:
hex -- only process %20 type stuff
raw -- only process the raw bytes
unicode_all -- only process %c0cf and %u0000 junkets
any -- normalize both, warn on double decodes
I want to think about this for a bit before it's fully implemented
because I ahve to do a lot of work to implement and then we have to do
a TON of work to convert signatures.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-IIS ASP contents view";
flow:to_server; flags: A+;
and uriparam will always have to be after a uricontent
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
More information about the Snort-devel