[Snort-sigs] Can't generate alerts on HTTP GET attacks

Nicholas Mavis (nmavis) nmavis at ...3865...
Tue Jul 8 10:45:43 EDT 2014

Another thing to note is that even though the double slash (//) should be removed, it would still function as it will be normalized to a single forward slash. If you were attempting to detect an actual double slash, you would need to use “http_raw_uri” instead of “http_uri”.

Simon is also correct that the URI encoding in your rule will be normalized.


From: Simon Wesseldine <simon.wesseldine at ...3930...<mailto:simon.wesseldine at ...3930...>>
Date: Thursday, July 3, 2014 at 4:21 AM
To: "snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...1306...et>" <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...1744...net>>
Subject: Re: [Snort-sigs] Can't generate alerts on HTTP GET attacks

Hi Sabawoon,

I notice from the rule you have written, that you have included the percent encoded characters (e.g. content:"//index.php?keywords=http%3A%2F%2Frevftdrcghjwcom%2F ";)
Depending on your configuration of Snort, the percent encoding is likely to be normalized and you should write your rule for the normalized version of the attack. Also check to make sure that "%2f%sf" is not being normalized to "/".

Try changing you content matches to the normalized version (e.g. content:"|2f|index|2e|php|3f|keywords|3d|http|3a 2f 2f|revftdrcghjw|2e|com|2f|";) and let Snort do the work for you.
If you wanted to be extra cautious, you could use pcre and write - pcre:"/\x2findex\x2ephp\x3fkeywords\x3dhttp(\x253a|\x3a)(\x252f|\x2f)?revftdrcghjw\x2ecom(\x25|\x2f)/i";

If this is not your intention, then maybe you should consider the keywords 'raw' in your matches.

hope that helps.
Best regards,

Please join our new group on linkedin - IPS Security Rules (Snort & Suricata)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140708/4e8b3a6c/attachment.html>

More information about the Snort-sigs mailing list