[Snort-sigs] Rule assist
jlay at ...3266...
Tue Jun 25 12:57:47 EDT 2013
So once in a while I see a compromised site that has something like the
below after an initial redirect:
GET /?1 HTTP/1.1
HTTP/1.1 302 Found
I'm trying to determine what's the best method for catching this.
Here's what I think I understand:
http_uri would match "?1", would http_raw_uri match "/?1" or even "/?1
HTTP/1.1"? I'd like to ideally match the entire "GET /?1
HTTP/1.1"..I've tried matching with http_header and http_raw_header, but
I've not had any luck getting snort to fire on the pcap. I've hexed the
? and ? as well. Any assistance would help...thanks all!
More information about the Snort-sigs