<p>Also, are we looking just at HTTP, or other traffic on port 80? Lots of things, legit or not, tunnel there.</p>
<div class="gmail_quote">On Jul 25, 2012 12:05 PM, "Joel Esler" <<a href="mailto:jesler@...1935...">jesler@...1935...</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF"><div>You can't have a pure negative content match rule. <br><br>-- <div>Joel Esler</div></div><div><br>On Jul 25, 2012, at 1:03 PM, Andrew Torres <<a href="mailto:aatorres19@...11827..." target="_blank">aatorres19@...11827...</a>> wrote:<br>
<br></div><div></div><blockquote type="cite"><div><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">This should probably work :-)</span></p>

<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><br></span></p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">content:!”GET”; content:!”POST”; http_method;<u></u><u></u></span></p>

<div><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><br></span></div><br><div class="gmail_quote">On Wed, Jul 25, 2012 at 11:59 AM, Lay, James <span dir="ltr"><<a href="mailto:james.lay@...15009..." target="_blank">james.lay@...15009...</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Andrew Torres [mailto:<a href="mailto:aatorres19@...846....11827..." target="_blank">aatorres19@...11827...</a>] <br>

<b>Sent:</b> Wednesday, July 25, 2012 10:47 AM<br><b>To:</b> Lay, James<br><b>Cc:</b> <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a><br><b>Subject:</b> Re: [Snort-users] How to write a snort rule match NO content GET orPOST in http request<u></u><u></u></span></p>

<div><p class="MsoNormal" style="margin-left:.5in"><u></u> <u></u></p><p class="MsoNormal" style="margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">I do not think that accomplishes what he is trying though, as that will simply alert when those strings are not found, not when they are not the http methods involved. The signature is possible I just can not think of a really efficient way of doing it using the http options. You can do a content match for everything but GET and POST and do a fast_pattern of HTTP/1.1 or something. Might be faster to just write individual sigs for the methods that you are concerned about. and use the http_method option in each sig rather than a contnet match. A lot of ways to solve the problem, I am just not sure which is the best. Will wait for someone more knowledge than me to chime in. <u></u><u></u></p>

</div><div><div><p class="MsoNormal" style="margin-left:.5in">On Wed, Jul 25, 2012 at 11:31 AM, Lay, James <<a href="mailto:james.lay@...15015...9..." target="_blank">james.lay@...15009...</a>> wrote:<u></u><u></u></p>

<div><p class="MsoNormal" style="margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">-----Original Message-----<br>From: Tran M. Thang [mailto:<a href="mailto:tmthang@...15658..." target="_blank">tmthang@...15727.....</a>]<br>

Sent: Wednesday, July 25, 2012 12:33 AM<br>To: <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@...3893...t</a><br>Subject: [Snort-users] How to write a snort rule match NO content GET<br>

orPOST in http request<br><br>Hi Snort Users,<br><br>Please help me to write a snort rule that matches http request with NO<br>content GET or POST.<br><br>Thanks!<br><br><br><u></u><u></u></p></div><p class="MsoNormal" style="margin-left:.5in">

>From the snort manual, you can use content negation, ie content:!"Get";<br><br>Hope that helps.<br><span style="color:#888888"><br><span>James</span></span><u></u><u></u></p></div><div><div><p class="MsoNormal">

<span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal">

<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’m thinking something like:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">content:!”GET”; content:!”POST”; http_uri;<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">or<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

</div></div></div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">content:!”GET”; content:!”POST”; http_method;<u></u><u></u></span></p><p class="MsoNormal">

<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Perhaps?<span><font color="#888888"><u></u><u></u></font></span></span></p>

<span><font color="#888888"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">James<u></u><u></u></span></p>

</font></span></div></div><br>------------------------------------------------------------------------------<br>
Live Security Virtual Conference<br>
Exclusive live event will cover all the ways today's security and<br>
threat landscape has changed and how IT managers can respond. Discussions<br>
will include endpoint security, mobile security and the latest in malware<br>
threats. <a href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" target="_blank">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br></blockquote></div><br>
</div></blockquote><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>Live Security Virtual Conference</span><br><span>Exclusive live event will cover all the ways today's security and </span><br>
<span>threat landscape has changed and how IT managers can respond. Discussions </span><br><span>will include endpoint security, mobile security and the latest in malware </span><br><span>threats. <a href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" target="_blank">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a></span></div>
</blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Snort-users mailing list</span><br><span><a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a></span><br>
<span>Go to this URL to change user options or unsubscribe:</span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a></span><br>
<span>Snort-users list archive:</span><br><span><a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div>
</blockquote></div><br>------------------------------------------------------------------------------<br>
Live Security Virtual Conference<br>
Exclusive live event will cover all the ways today's security and<br>
threat landscape has changed and how IT managers can respond. Discussions<br>
will include endpoint security, mobile security and the latest in malware<br>
threats. <a href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" target="_blank">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br></blockquote></div>