[Snort-users] How to write a snort rule match NO content GET or POST in http request
Tran M. Thang
tmthang at ...15658...
Mon Jul 30 01:53:04 EDT 2012
I make a rule and i got alert with it:
alert tcp any any -> any 80 (msg:"No GET or POST http_method to Web-server"; flow:to_server,established ; pcre:!"/GET|POST/smi"; classtype:Web-application-attack; sid:1260736; rev:4;)
----- Original Message -----
From: "Shaiming Hsiung" <shaiming.hsiung at ...11827...>
To: "Alex Kirk" <akirk at ...1935...>
Cc: "Tran M. Thang" <tmthang at ...15658...>, snort-users at lists.sourceforge.net
Sent: Friday, July 27, 2012 3:03:18 AM
Subject: Re: [Snort-users] How to write a snort rule match NO content GET or POST in http request
> That shouldn't work. You can't specify a content modifier to a PCRE; if you
> want the PCRE to operate just on the method, you need the /M flag.
pcre: "/^([^GP]|G[^E]|GE[^T]|GET[^ ]|P[^O]|PO[^S]|POS[^T]|POST[^ ])/iM";
(I still hope this approach is valid).
More information about the Snort-users