[Snort-sigs] Setting up a rule for a repeating pattern
hakobyan at ...3751...
Mon Mar 21 20:03:48 EDT 2016
I need to setup a rule that would detect a repetition of headers within a HTTP session.
Only initial headers have to be examined (not the content), so we are not going to process huge amounts of data. I want to detect anything that sends two of same headers (say 2 POST requess, etc.). The repetitions are not necessarily successive..
How is that possible using Snort rules syntax? If I use command like
alert tcp any any -> any any (msg:”Secret traffic"; pcre:”/USERNAME|PASSWORD/i"; sid:666; rev:1;)
it will detect the pattern once, but how do I repeat it?
More information about the Snort-sigs