[Snort-sigs] Need help with Snort Rule for a HTTP GET parameter and pattern matching.

Sabawoon Mageedzada sabawoon.majeedzada at ...2420...
Thu Jul 31 08:46:58 EDT 2014


Hello Everyone,

I would appreciate if anyone can help me out with my snort rule.

I would like generate a snort rule that can detected a HTTP get paramter.
Example: below

alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET";
content:"/index.php?action=";http_method;sid:20000011;)

Right now when I type in http://www.example.com/index.php?action=login I do
not get a alert generated using the rule above.

Or how to detect if GET HTTP method with a specific parameter been used or
passed a value.

Secondly, how to write a simple pattern that can detect a specific string
or number pattern has been passed to this GET parameter. Just a example
pattern guidance would be nice.

Thanks,
SF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140731/16612e41/attachment.html>


More information about the Snort-sigs mailing list