[Snort-sigs] Looking for HTTP POST's over 1mb in size

evilghost at ...3397... evilghost at ...3397...
Thu Apr 8 12:49:12 EDT 2010

Hey Josh, isn't the root issue here 10[1-9] in the PCRE OR match since 
it'll match on on 101, 102, 103, etc?

What about:


It'll still match against 1,000,000 bytes which is close enough to 1Mb for me.  Also, note sure why you need the other PCRE flags.


> So I wrote a signature to detect HTTP POST's over 1mb in size, but I think that my pcre logic is flawed.  Can someone take a look and let me know if this is OK?  (It does work, but will trigger on file sizes < 1mb based on the Content-Length: header)
> (We have some stuff in there to ignore posts to certain sites due to too many false positives)
> The rule is:
> alert tcp any !20 -> $EXTERNAL_NET !25 (flow:established,to_server; priority:1; content:"POST"; nocase; http_method; content:!"Shockwave"; nocase; http_header; content:!"x-flash-version"; nocase; content:!"Host\: live.com"; nocase; http_header; content:!"Host\: mail.google.com"; nocase; http_header; content:!"Host\: mail.yahoo.com"; nocase; content:!"Host\: webmail.aol.com"; nocase; http_header; content:!"Host\: webmail.juno.com"; nocase; http_header; content:!"Host\: webmailb.juno.com"; nocase; http_header; content:"multipart/"; nocase; content:"Content-Length\:"; nocase; http_header; pcre:"/^Content-Length:\s*([1-9][0-9]{6,}|10[1-9])/smix"; pcre:!"/^Host:\s.*[\.live.com]$/smi"; msg:"http-post-pcre-jr"; classtype:policy-violation; sid:1000060; gid:1; rev:4; )
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list