[Snort-sigs] Need help with Snort Rule for a HTTP GET parameter and

Simon Wesseldine simon.wesseldine at ...3930...
Thu Jul 31 12:20:08 EDT 2014


Hi Sabawoon,

 

When you are writing your rules, be careful with formatting and putting
spaces in the right place.

Try this example:

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET
parameter"; flow:to_server,established; content:"GET"; http_method;
content:"|2f|index|2e|php|3f|"; nocase; http_uri;
classtype:web-application-attack; sid:1000000; rev:1;)

 

There are a couple of other key points you should also follow when writing
your rules. Try and use variables and add the port numbers to the them in
the Snort.conf, it will make life a lot easier in the future and should
catch more bad traffic. Also, try and add a revision number to your sids,
which helps in troubleshooting many versions of one rule.

 

I don't like to add plugs on this mailing list, a tool that will help you to
write better Snort rules is available FREE from this link -
http://www.ipssecurityrules.co.uk/rules/download_creator.php.

Go try it out.

 

Best regards,

Simon.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140731/f1ff6b96/attachment.html>


More information about the Snort-sigs mailing list