[Snort-sigs] Help needed writing GET requests

lists at ...3397... lists at ...3397...
Mon Jul 14 14:57:49 EDT 2014


Describe, specifically, what you want to match on and I can help.  Otherwise
your question is too generic to offer any assistance outside of:

alert tcp any any -> any any (msg:"GET to some content";
flow:established,to_server; content:"GET"; http_method; content:"some content";
pcre:"/some pattern/"; ...

Cheers,
Nathan


On 07/14/2014 01:52 PM, Sabawoon Mageedzada wrote:
> Hello Everyone,
> 
> I would appreciate if someone can help me with writing a rule that helps me
> detect GET requests to a web application. I am a new b and I have tried some
> rules which did not worked. 
> 
> The next step : There will be multiple GET request to a web application, and a
> dynamic rule that can detect a specific pattern inside the GET request would
> also help me. These are get request that are suspicions to web application and
> they are crafted to attack the web application. What types of attack this kind
> of scenario is ? 
> 
> Also,what output module should I use for my alerts to be human reader. unified2
> and fast are all binary, I would like to have a better alert files that would
> help me read the alert files in /logs directory. 
> 
> using snort 2.9.3 version. 
> 
> Thanks,
> SF




More information about the Snort-sigs mailing list