[Snort-sigs] Can't generate alerts on HTTP GET attacks

Simon Wesseldine simon.wesseldine at ...3930...
Thu Jul 3 04:21:05 EDT 2014


Hi Sabawoon,

 

I notice from the rule you have written, that you have included the percent
encoded characters (e.g.
content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjwcom%2F ";)

Depending on your configuration of Snort, the percent encoding is likely to
be normalized and you should write your rule for the normalized version of
the attack. Also check to make sure that "%2f%sf" is not being normalized to
"/".

 

Try changing you content matches to the normalized version (e.g.
content:"|2f|index|2e|php|3f|keywords|3d|http|3a 2f
2f|revftdrcghjw|2e|com|2f|";) and let Snort do the work for you.

If you wanted to be extra cautious, you could use pcre and write -
pcre:"/\x2findex\x2ephp\x3fkeywords\x3dhttp(\x253a|\x3a)(\x252f|\x2f)?revftd
rcghjw\x2ecom(\x25|\x2f)/i";

 

If this is not your intention, then maybe you should consider the keywords
'raw' in your matches.

 

hope that helps.

Best regards,

Simon.

 

Please join our new group on linkedin - IPS Security Rules (Snort &
Suricata)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140703/0ea89eb6/attachment.html>


More information about the Snort-sigs mailing list