[Snort-users] My first rule on the way :)

Dan Hollis goemon at ...62...
Tue Jul 25 06:53:50 EDT 2000


On Tue, 25 Jul 2000, Jan-Frode Myklebust wrote:
> The signature of it is something like:
> "GET /cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/command"
> but the arguments to the cgi-script might come in a different order, so what
> I would like to catch is packets with
> "GET /cgi-bin/infosrch.cgi?" and then "fname=|".
> Is that possible without writing one rule for every combination of the
> argument line, or should I just match on "fname=|" within depth=X?

Snort should probably have a feature added to allow chaining rules
together. This would allow to do what you want. This would also allow for
arbitrarily complex rules, and if properly used could probably cut down on
the number of false positives.

-Dan





More information about the Snort-users mailing list