[Snort-sigs] Setting up a rule for a repeating pattern

Geoffrey Serrao gserrao at ...435...
Mon Mar 21 20:09:44 EDT 2016

Hi Gurgen,

You might use the following strategy for detecting a repeating "POST"

content:"POST "; depth:5; content:"POST "; distance:0;

This will enter on the raw buffer and look for an additional "POST "
following the first content match.

On Mon, Mar 21, 2016 at 8:03 PM, Gurgen Hakobyan <hakobyan at ...3751...>

> Hi,
> I need to setup a rule that would detect a repetition of headers within a
> HTTP session.
> Only initial headers have to be examined (not the content), so we are not
> going to process huge amounts of data. I want to detect anything that sends
> two of same headers (say 2 POST requess, etc.). The repetitions are not
> necessarily successive..
> How is that possible using Snort rules syntax? If I use command like
> alert tcp any any -> any any (msg:”Secret traffic";
> pcre:”/USERNAME|PASSWORD/i"; sid:666; rev:1;)
> it will detect the pattern once, but how do I repeat it?
> Thanks,
> Gurgen
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160321/69c24140/attachment.html>

More information about the Snort-sigs mailing list