[Snort-users] How to write a snort rule match NO content GET orPOST in http request

Joel Esler jesler at ...1935...
Wed Jul 25 15:01:49 EDT 2012


You can't have a pure negative content match rule. 

-- 
Joel Esler

On Jul 25, 2012, at 1:03 PM, Andrew Torres <aatorres19 at ...11827...> wrote:

> This should probably work :-)
> 
> 
> 
> content:!”GET”; content:!”POST”; http_method;
> 
> 
> 
> On Wed, Jul 25, 2012 at 11:59 AM, Lay, James <james.lay at ...15009...> wrote:
>  
> 
>  
> 
> From: Andrew Torres [mailto:aatorres19 at ...11827...] 
> Sent: Wednesday, July 25, 2012 10:47 AM
> To: Lay, James
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] How to write a snort rule match NO content GET orPOST in http request
> 
>  
> 
> I do not think that accomplishes what he is trying though, as that will simply alert when those strings are not found, not when they are not the http methods involved. The signature is possible I just can not think of a really efficient way of doing it using the http options. You can do a content match for everything but GET and POST and do a fast_pattern of HTTP/1.1 or something. Might be faster to just write individual sigs for the methods that you are concerned about. and use the http_method option in each sig rather than a contnet match. A lot of ways to solve the problem, I am just not sure which is the best. Will wait for someone more knowledge than me to chime in. 
> 
> On Wed, Jul 25, 2012 at 11:31 AM, Lay, James <james.lay at ...15009...> wrote:
> 
> -----Original Message-----
> From: Tran M. Thang [mailto:tmthang at ...15658...]
> Sent: Wednesday, July 25, 2012 12:33 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] How to write a snort rule match NO content GET
> orPOST in http request
> 
> Hi Snort Users,
> 
> Please help me to write a snort rule that matches http request with NO
> content GET or POST.
> 
> Thanks!
> 
> 
> 
> >From the snort manual, you can use content negation, ie content:!"Get";
> 
> Hope that helps.
> 
> James
> 
>  
> 
>  
> 
> I’m thinking something like:
> 
>  
> 
> content:!”GET”; content:!”POST”; http_uri;
> 
>  
> 
> or
> 
>  
> 
> content:!”GET”; content:!”POST”; http_method;
> 
>  
> 
> Perhaps?
> 
>  
> 
> James
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120725/1508af86/attachment.html>


More information about the Snort-users mailing list