[Snort-sigs] Need help with Snort Rule for a HTTP GET parameter and pattern matching.

Y M snort at ...3751...
Thu Jul 31 08:55:02 EDT 2014



Date: Thu, 31 Jul 2014 08:46:58 -0400
From: sabawoon.majeedzada at ...2420...
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Need help with Snort Rule for a HTTP GET parameter and	pattern matching.

Hello Everyone,
I would appreciate if anyone can help me out with my snort rule.
I would like generate a snort rule that can detected a HTTP get paramter. Example: below

alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET"; content:"/index.php?action=";http_method;sid:20000011;) 
* The http_method content modifier should refer to the "GET" content match and the URI content match. So a modified version of you rule:alert tcp any any -> any 80 (msg:"HTTP GET paramater"; content:"GET"; http_method; content:"/index.php?action=";http_uri;sid:20000011;) 


Right now when I type in http://www.example.com/index.php?action=login I do not get a alert generated using the rule above. 
Or how to detect if GET HTTP method with a specific parameter been used or passed a value. 

Secondly, how to write a simple pattern that can detect a specific string or number pattern has been passed to this GET parameter. Just a example pattern guidance would be nice. 
* I am not sure what you mean here, but I am guessing something along the lines of a url query parameter?

Thanks,SF

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140731/d9492bf3/attachment.html>


More information about the Snort-sigs mailing list