[Snort-sigs] Can't generate snort alerts with GET HTTP using pcre.

Simon Wesseldine simon.wesseldine at ...3930...
Mon Aug 4 04:56:15 EDT 2014


Hi Sabawoon,

 

I shall try and help you with your question, but it looks like you have a
number of issues with your rules that are causing you problems. The main
advice I would like to offer you is:

 

1.       When using the http_method keyword, it must come immediately after
the content match you wish for it to operate on. e.g. content:"GET";
http_method;

2.       Some characters within pcre matches must be escaped with a
backslash for them to operate as you would want, e.g. the period (.) is a
wildcard in pcre if not escaped correctly (\.).

3.       Your pcre match ^[a-zA-Z]+$ is looking for a string of characters
from the start of a line to the finish of a line. This will not match on a
uri, because the uri will include spaces ( HTTP/1.1). Also remember that the
repetition characters (+*) are  greedy by default in Snort.

 

If you are trying to raise an alert for every event that is NOT a match,
then you can use negated content or pcre matches, e.g. content:!"string"; OR
pcre:!"/string/si"; . But what I think you are trying to achieve is, that
within character classes you can also use the caret to negate a match, e.g.
[^a-zA-Z]. It goes within the square brackets.

 

I would try something like this for what you describe:

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a
number passed to the id parameter"; flow:to_server,established;
content:"GET"; http_method; content:"|2f|city|2e|php|3f|"; nocase;
pcre:"/id\x3d[0-9]*?[^0-9]/is"; classtype:web-application-attack;
sid:1000000; rev:1;)

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET - Not a
string passed to the city parameter"; flow:to_server,established;
content:"GET"; http_method;
content:"|2f|current|5f|time|5f|in|5f|AF|2e|aspx|3f|"; nocase;
pcre:"/city\x3d[a-zA-Z]*?[^a-zA-Z]/is"; classtype:web-application-attack;
sid:1000000; rev:1;)

 

 

Best regards,

Simon.

 

Join our New Group on LinkedIn - "IPS Security Rules (Snort & Suricata)"

Custom Snort rules made easy -
http://www.ipssecurityrules.co.uk/products/easy_rules_creator.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140804/f53dc97e/attachment.html>


More information about the Snort-sigs mailing list