[Snort-sigs] Need help with snort rules

lists at ...3397... lists at ...3397...
Thu Aug 7 13:51:16 EDT 2014


On 08/07/2014 12:43 PM, Sabawoon Mageedzada wrote:
> Hello everyone,
> 
> I have the following rules.
> 
> alert tcp any any -> any 80  (msg:"HTTP GET PACKET with
> parameter";content:"/current_time_in_AF.aspx?city=" ;pcre:"/^[a-zA-Z]+$/
> ";flow:to_server,established;http_method;sid:990992;)
> 
> Or this one. 
> alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET";
> content:"/city.php?id=" pcre:"/city.php?id=[0-9]{1,10}/iU";​
> http_method;flow:to_server,established;​sid:20000011;)
> 
> When visiting these websites; Random Example websites. 
> 
> http://dateandtime.info/city.php?id=1138958​
> 
> website for rule 1
> http://www.worldtimeserver.com/current_time_in_AF.aspx?city=Kabul

Fixed your rules.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP GET with param
Current Time"; flow:established,to_server; content:"GET"; http_method;
content:"current_time_in_AF.aspx?city="; http_uri; fast_pattern;
pcre:"/^[a-zA-Z]+$/UR"; classtype:bad-unknown; sid:x; rev:1;)

Your PCRE would never match on what you intend it to, lacks proper escapes, and
is just wrong.  Check out 'man pcresyntax'.

Cheers,
Nathan






More information about the Snort-sigs mailing list