[Snort-users] How to write a snort rule match NO content GET or POST in http request

Tran M. Thang tmthang at ...15658...
Mon Jul 30 01:53:04 EDT 2012


Thanks Sir,

I make a rule and i got alert with it:

alert tcp any any -> any 80 (msg:"No GET or POST http_method to Web-server"; flow:to_server,established ;  pcre:!"/GET|POST/smi"; classtype:Web-application-attack; sid:1260736; rev:4;)



----- Original Message -----
From: "Shaiming Hsiung" <shaiming.hsiung at ...11827...>
To: "Alex Kirk" <akirk at ...1935...>
Cc: "Tran M. Thang" <tmthang at ...15658...>, snort-users at lists.sourceforge.net
Sent: Friday, July 27, 2012 3:03:18 AM
Subject: Re: [Snort-users] How to write a snort rule match NO content GET or POST in http request

> That shouldn't work. You can't specify a content modifier to a PCRE; if you
> want the PCRE to operate just on the method, you need the /M flag.

Right, sorry:

pcre: "/^([^GP]|G[^E]|GE[^T]|GET[^ ]|P[^O]|PO[^S]|POS[^T]|POST[^ ])/iM";

(I still hope this approach is valid).




More information about the Snort-users mailing list