[Snort-sigs] [Emerging-Sigs] Rule assist
jlay at ...3266...
Tue Jun 25 13:22:18 EDT 2013
On 2013-06-25 11:10, Joel Esler wrote:
> content:"GET /?1 HTTP/1.1"; fast_pattern:only;
> is your best bet.
> You could break it out like this if you want:
> urilen:3; content:"GET"; http_method; content:"/?1"; http_uri;
> "HTTP/1.1" isn't in a buffer, perhaps that's where you are getting
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
Thanks Joel and Will...here's the full rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISED Unknown ?1 redirect";
flow:to_server,established; content:"GET /?1 HTTP/1.1";
fast_pattern:only; metadata:policy balanced-ips drop, policy
security-ips drop, service http; classtype:bad-unknown; sid:10000082;
Going to run this in production and see how it flies.
More information about the Snort-sigs