[Snort-users] How to write a snort rule match NO content GET or POST in http request

Shaiming Hsiung shaiming.hsiung at ...11827...
Thu Jul 26 16:03:18 EDT 2012


> That shouldn't work. You can't specify a content modifier to a PCRE; if you
> want the PCRE to operate just on the method, you need the /M flag.

Right, sorry:

pcre: "/^([^GP]|G[^E]|GE[^T]|GET[^ ]|P[^O]|PO[^S]|POS[^T]|POST[^ ])/iM";

(I still hope this approach is valid).




More information about the Snort-users mailing list