[Snort-users] How to write a snort rule match NO content GET or POST in http request
shaiming.hsiung at ...11827...
Thu Jul 26 15:38:01 EDT 2012
> Please help me to write a snort rule that matches http request with NO content GET or POST.
I have in the past used a regex like the following:
pcre: "/^([^GP]|G[^E]|GE[^T]|GET[^ ]|P[^O]|PO[^S]|POS[^T]|POST[^
A bit hairy but works, and uses only non-negated rules.
It essentially matches a packet that begins with anything
but "GET " or "POST ":
The packet can start with:
- any letter except G and P
- or G followed by any letter except E
- or GE followed by any letter except T
Beware; this is vulnerable to fragmentation.
More information about the Snort-users