[Snort-sigs] Need help with snort rules

Sabawoon Mageedzada sabawoon.majeedzada at ...2420...
Thu Aug 7 13:43:56 EDT 2014


Hello everyone,

I have the following rules.

alert tcp any any -> any 80  (msg:"HTTP GET PACKET with
parameter";content:"/current_time_in_AF.aspx?city=" ;pcre:"/^[a-zA-Z]+$/ "
;flow:to_server,established;http_method;sid:990992;)

Or this one.
alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET";
content:"/city.php?id=" pcre:"/city.php
?id=[0-9]{1,10}/iU";​http_method;flow:to_server,established;​sid:20000011;)

When visiting these websites; Random Example websites.

http://dateandtime.info/city.php?id=1138958​

website for rule 1
http://www.worldtimeserver.com/current_time_in_AF.aspx?city=Kabul

I do not see any alerts generated or shown on screen.
To generate alerts if specific attribute is used with a HTTP GET request.
Say for example, I should get alerts if a get http attribute has gets a
value. For example, I should get an alert if the date attribute is used in
here. http:/www.example.com/index.php?date=something


Thanks,
SF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140807/846da02b/attachment.html>


More information about the Snort-sigs mailing list