[Snort-sigs] filter http traffic
kenterer1 at ...3680...
Sat May 19 09:26:53 EDT 2012
i want to filter search requests to e.g. google which have certain keywords.
my suggestion is the following:
alert tcp any any -> any any (pcre: "/(keyword1|keyword2)*/"; msg: "someone searches for rootkit or malware in google bing or yahooo"; sid: 1000004;rev:1;)
Since i want to be able to use regular expressions i use PCRE. However this line only gives alarm if i use the "url bar" of the browser to search for keywords. if i visit google.com and type the keywords in the input box, there is no alarm going of . : /
i would appreciate any inspiration.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs