[Snort-sigs] Rule assist

James Lay jlay at ...3266...
Tue Jun 25 12:57:47 EDT 2013

Hey all,

So once in a while I see a compromised site that has something like the 
below after an initial redirect:

GET /?1 HTTP/1.1

HTTP/1.1 302 Found

I'm trying to determine what's the best method for catching this.  
Here's what I think I understand:

http_uri would match "?1", would http_raw_uri match "/?1" or even "/?1 
HTTP/1.1"?  I'd like to ideally match the entire "GET /?1 
HTTP/1.1"..I've tried matching with http_header and http_raw_header, but 
I've not had any luck getting snort to fire on the pcap.  I've hexed the 
? and ? as well.  Any assistance would help...thanks all!


More information about the Snort-sigs mailing list