[Snort-users] How to write a snort rule match NO content GET orPOST in http request

Alex Kirk akirk at ...1935...
Wed Jul 25 15:10:11 EDT 2012


Also, are we looking just at HTTP, or other traffic on port 80? Lots of
things, legit or not, tunnel there.
On Jul 25, 2012 12:05 PM, "Joel Esler" <jesler at ...1935...> wrote:

> You can't have a pure negative content match rule.
>
> --
> Joel Esler
>
> On Jul 25, 2012, at 1:03 PM, Andrew Torres <aatorres19 at ...11827...> wrote:
>
> This should probably work :-)
>
>
> content:!”GET”; content:!”POST”; http_method;****
>
>
> On Wed, Jul 25, 2012 at 11:59 AM, Lay, James <james.lay at ...15009...>wrote:
>
>> ** **
>>
>> ** **
>>
>> *From:* Andrew Torres [mailto:aatorres19 at ...11827...]
>> *Sent:* Wednesday, July 25, 2012 10:47 AM
>> *To:* Lay, James
>> *Cc:* snort-users at lists.sourceforge.net
>> *Subject:* Re: [Snort-users] How to write a snort rule match NO content
>> GET orPOST in http request****
>>
>> ** **
>>
>> I do not think that accomplishes what he is trying though, as that will
>> simply alert when those strings are not found, not when they are not the
>> http methods involved. The signature is possible I just can not think of a
>> really efficient way of doing it using the http options. You can do a
>> content match for everything but GET and POST and do a fast_pattern of
>> HTTP/1.1 or something. Might be faster to just write individual sigs for
>> the methods that you are concerned about. and use the http_method option in
>> each sig rather than a contnet match. A lot of ways to solve the problem, I
>> am just not sure which is the best. Will wait for someone more knowledge
>> than me to chime in. ****
>>
>> On Wed, Jul 25, 2012 at 11:31 AM, Lay, James <james.lay at ...15009...>
>> wrote:****
>>
>> -----Original Message-----
>> From: Tran M. Thang [mailto:tmthang at ...15658...]
>> Sent: Wednesday, July 25, 2012 12:33 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] How to write a snort rule match NO content GET
>> orPOST in http request
>>
>> Hi Snort Users,
>>
>> Please help me to write a snort rule that matches http request with NO
>> content GET or POST.
>>
>> Thanks!
>>
>>
>> ****
>>
>> >From the snort manual, you can use content negation, ie content:!"Get";
>>
>> Hope that helps.
>>
>> James****
>>
>> ** **
>>
>> ** **
>>
>> I’m thinking something like:****
>>
>> ** **
>>
>> content:!”GET”; content:!”POST”; http_uri;****
>>
>> ** **
>>
>> or****
>>
>> ** **
>>
>> content:!”GET”; content:!”POST”; http_method;****
>>
>> ** **
>>
>> Perhaps?****
>>
>> ** **
>>
>> James****
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120725/de418bc1/attachment.html>


More information about the Snort-users mailing list