[Snort-sigs] Can't generate snort alerts with GET HTTP using pcre.

Sabawoon Mageedzada sabawoon.majeedzada at ...2420...
Mon Aug 4 00:03:10 EDT 2014


Hello Everyone,

I would appreciate if someone can help me with these rules or fix these
rules. I can't generate alerts using the snort rules bellow.

*Goal*:* A:* To generate snort alerts if HTTP GET's attribute accpets a
value which is not matched with the pcre value. Simply, I want To generate
snort alerts using HTTP GET Method with a parameter. The parameter
(index.php?paramter=something) should accept a value.  If the value does
not match the pcre pattern, it should generate alert.

B: To generate alerts if specific attribute is used with a HTTP GET
request. Say for example, I should get alerts if a get http attribute has
gets a value. For example, I should get an alert if the date is used in
here. http:/www.example.com/index.php?date=something


*Right now*, I can't alerts generated when I go the the website and pass
1223 to the "city"  attribute or a string value to the "id" attribute in
the mentioned in the rules below. It should give me alert based on the
rule. But the rule might have problem.

alert tcp any any -> any 80  (msg:"HTTP GET PACKET with
parameter";content:"/current_time_in_AF.aspx?city=" ;pcre:"/^[a-zA-Z]+$/ "
;flow:to_server,established;http_method;sid:990992;)

Or this one.
alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET";
content:"/city.php?id=" pcre:"/city.php
?id=[0-9]{1,10}/iU";​http_method;flow:to_server,established;​sid:20000011;)

Thanks,
SF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140804/99f78861/attachment.html>


More information about the Snort-sigs mailing list