[Snort-users] How to write a snort rule match NO content GET or POST in http request

Shaiming Hsiung shaiming.hsiung at ...11827...
Thu Jul 26 15:38:01 EDT 2012


> Please help me to write a snort rule that matches http request with NO content GET or POST.

I have in the past used a regex like the following:

    pcre: "/^([^GP]|G[^E]|GE[^T]|GET[^ ]|P[^O]|PO[^S]|POS[^T]|POST[^
])/i"; http_method;

A bit hairy but works, and uses only non-negated rules.
It essentially matches a packet that begins with anything
but "GET " or "POST ":

The packet can start with:
    - any letter except G and P
    - or G followed by any letter except E
    - or GE followed by any letter except T
    - etc.

Beware; this is vulnerable to fragmentation.

Regards,

--
Shaiming Hsiung




More information about the Snort-users mailing list