[Snort-sigs] Setting up a rule for a repeating pattern

Gurgen Hakobyan hakobyan at ...3751...
Mon Mar 21 20:03:48 EDT 2016


Hi,

I need to setup a rule that would detect a repetition of headers within a HTTP session. 

Only initial headers have to be examined (not the content), so we are not going to process huge amounts of data. I want to detect anything that sends two of same headers (say 2 POST requess, etc.). The repetitions are not necessarily successive..

How is that possible using Snort rules syntax? If I use command like 

alert tcp any any -> any any (msg:”Secret traffic"; pcre:”/USERNAME|PASSWORD/i"; sid:666; rev:1;)

it will detect the pattern once, but how do I repeat it?

Thanks,
Gurgen


More information about the Snort-sigs mailing list