[Snort-sigs] [Emerging-Sigs] Rule assist

Joel Esler jesler at ...435...
Tue Jun 25 13:10:41 EDT 2013


content:"GET /?1 HTTP/1.1"; fast_pattern:only; 

is your best bet.

You could break it out like this if you want:

urilen:3; content:"GET"; http_method; content:"/?1"; http_uri; content:"HTTP/1.1"; 

"HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the problem?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jun 25, 2013, at 12:57 PM, James Lay <jlay at ...3266...> wrote:

> Hey all,
> 
> So once in a while I see a compromised site that has something like the below after an initial redirect:
> 
> GET /?1 HTTP/1.1
> <snip>
> Host: 93.171.172.179
> 
> HTTP/1.1 302 Found
> <snip>
> LOCATION: http://93.171.172.179/?2
> 
> I'm trying to determine what's the best method for catching this.  Here's what I think I understand:
> 
> http_uri would match "?1", would http_raw_uri match "/?1" or even "/?1 HTTP/1.1"?  I'd like to ideally match the entire "GET /?1 HTTP/1.1"..I've tried matching with http_header and http_raw_header, but I've not had any luck getting snort to fire on the pcap.  I've hexed the ? and ? as well.  Any assistance would help...thanks all!
> 
> James
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130625/3b16977e/attachment.html>


More information about the Snort-sigs mailing list