[Snort-sigs] [Emerging-Sigs] Rule assist

Will Metcalf wmetcalf at ...3525...
Tue Jun 25 13:08:11 EDT 2013


Should work just fine. Usually when things should work but don't, I
automatically suspect incomplete/corrupted pcap. Trying running the pcap
again with "-k none" ?

Regards,

Will


On Tue, Jun 25, 2013 at 11:57 AM, James Lay <jlay at ...3266...>wrote:

> Hey all,
>
> So once in a while I see a compromised site that has something like the
> below after an initial redirect:
>
> GET /?1 HTTP/1.1
> <snip>
> Host: 93.171.172.179
>
> HTTP/1.1 302 Found
> <snip>
> LOCATION: http://93.171.172.179/?2
>
> I'm trying to determine what's the best method for catching this.  Here's
> what I think I understand:
>
> http_uri would match "?1", would http_raw_uri match "/?1" or even "/?1
> HTTP/1.1"?  I'd like to ideally match the entire "GET /?1 HTTP/1.1"..I've
> tried matching with http_header and http_raw_header, but I've not had any
> luck getting snort to fire on the pcap.  I've hexed the ? and ? as well.
>  Any assistance would help...thanks all!
>
> James
>
>
>
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130625/1a0f49f9/attachment.html>


More information about the Snort-sigs mailing list