'Re: [Snort-sigs] Need help with Snort Rule for a HTTP GET parameter and'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Need help with Snort Rule for a HTTP GET parameter and
From:       "Simon Wesseldine" <simon.wesseldine () idappcom ! com>
Date:       2014-07-31 16:20:08
Message-ID: 003f01cfacdb$4c939770$e5bac650$ () wesseldine () idappcom ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Sabawoon,

 

When you are writing your rules, be careful with formatting and putting
spaces in the right place.

Try this example:

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET
parameter"; flow:to_server,established; content:"GET"; http_method;
content:"|2f|index|2e|php|3f|"; nocase; http_uri;
classtype:web-application-attack; sid:1000000; rev:1;)

 

There are a couple of other key points you should also follow when writing
your rules. Try and use variables and add the port numbers to the them in
the Snort.conf, it will make life a lot easier in the future and should
catch more bad traffic. Also, try and add a revision number to your sids,
which helps in troubleshooting many versions of one rule.

 

I don't like to add plugs on this mailing list, a tool that will help you to
write better Snort rules is available FREE from this link -
http://www.ipssecurityrules.co.uk/rules/download_creator.php.

Go try it out.

 

Best regards,

Simon.


[Attachment #5 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal>Hi Sabawoon,<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>When you are writing your \
rules, be careful with formatting and putting spaces in the right \
place.<o:p></o:p></p><p class=MsoNormal>Try this example:<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>alert tcp $EXTERNAL_NET any \
-&gt; $HOME_NET $HTTP_PORTS (msg:&quot;HTTP GET parameter&quot;; \
flow:to_server,established; content:&quot;GET&quot;; http_method; \
content:&quot;|2f|index|2e|php|3f|&quot;; nocase; http_uri; \
classtype:web-application-attack; sid:1000000; rev:1;)<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>There are a couple of other \
key points you should also follow when writing your rules. Try and use variables and \
add the port numbers to the them in the Snort.conf, it will make life a lot easier in \
the future and should catch more bad traffic. Also, try and add a revision number to \
your sids, which helps in troubleshooting many versions of one rule.<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>I don't like to add plugs on \
this mailing list, a tool that will help you to write better Snort rules is available \
FREE from this link - \
http://www.ipssecurityrules.co.uk/rules/download_creator.php.<o:p></o:p></p><p \
class=MsoNormal>Go try it out.<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Best \
regards,<o:p></o:p></p><p class=MsoNormal>Simon.<o:p></o:p></p></div></body></html>



------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic