[Snort-users] How to write a snort rule match NO content GET or POST in http request

Alex Kirk akirk at ...1935...
Thu Jul 26 15:46:40 EDT 2012


That shouldn't work. You can't specify a content modifier to a PCRE; if you
want the PCRE to operate just on the method, you need the /M flag.

On Thu, Jul 26, 2012 at 12:38 PM, Shaiming Hsiung <shaiming.hsiung at ...11827...
> wrote:

> > Please help me to write a snort rule that matches http request with NO
> content GET or POST.
>
> I have in the past used a regex like the following:
>
>     pcre: "/^([^GP]|G[^E]|GE[^T]|GET[^ ]|P[^O]|PO[^S]|POS[^T]|POST[^
> ])/i"; http_method;
>
> A bit hairy but works, and uses only non-negated rules.
> It essentially matches a packet that begins with anything
> but "GET " or "POST ":
>
> The packet can start with:
>     - any letter except G and P
>     - or G followed by any letter except E
>     - or GE followed by any letter except T
>     - etc.
>
> Beware; this is vulnerable to fragmentation.
>
> Regards,
>
> --
> Shaiming Hsiung
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120726/a933190a/attachment.html>


More information about the Snort-users mailing list