[Snort-sigs] filter http traffic

Sdflkaj Jksdfj kenterer1 at ...3680...
Sat May 19 09:26:53 EDT 2012


Hey there,

i want to filter search requests to e.g. google which have certain keywords.

my suggestion is the following:

 alert tcp any any -> any any (pcre: "/(keyword1|keyword2)*/"; msg: "someone searches for rootkit or malware in google bing or yahooo"; sid: 1000004;rev:1;) 


 Since i want to be able to use regular expressions i use PCRE. However this line only gives alarm if i use the "url bar" of the browser to search for   keywords. if i visit google.com and type the keywords in the input box, there is no alarm  going of . : / 


i would appreciate any inspiration.

cheers
kenterer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120519/94780674/attachment.html>


More information about the Snort-sigs mailing list