[Snort-sigs] Looking for HTTP POST's over 1mb in size

JOSH RIVEL, BLOOMBERG/ 731 LEXIN jrivel at ...3472...
Thu Apr 8 12:24:50 EDT 2010

So I wrote a signature to detect HTTP POST's over 1mb in size, but I think that my pcre logic is flawed.  Can someone take a look and let me know if this is OK?  (It does work, but will trigger on file sizes < 1mb based on the Content-Length: header)
(We have some stuff in there to ignore posts to certain sites due to too many false positives)
The rule is:
alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase; http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\: webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com"; nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:4; )

More information about the Snort-sigs mailing list