<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Specifically, "http" isn't typically going to be in the
      http_raw_uri buffer unless you are looking at the request to a
      proxy.</p>
    <p>Generally, this rule isn't going to be effective or performant. 
      But, to put lipstick on a pig, why not replace "[^\n]*" (which
      will never be seen in the http_raw_uri buffer anyway) with
      something like "[^\x26\Z]*".  (The assumption is that you are
      looking for these characters in HTTP parameter values.) And since
      you look for encoded and unencoded everything else, did you forget
      the encoded dashes ("%2D%2D")?  Also, are you worried about double
      encoding situations? If not, there isn't a need to look for the
      encoded equals sign.<br>
    </p>
    <p>-David<br>
    </p>
    <div class="moz-cite-prefix">On 12/11/18 9:51 PM, bush wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:c67deda.6bbc.167a053f2b3.Coremail.djw25521@163.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div
        style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">Hi<br>
        <div><br>
        </div>
        <div>I write a rule to detect single quotes('), number
          sign(#),  semicolon(;),  and line-through(--) which appear in
          HTTP connections; But when i test it, i found the rule can not
          detect these signs. I do not know what is wrong with this
          rule. Can anyone give me some help to take a look at it.</div>
        <div><br>
        </div>
        <div>The rule: </div>
        <div><i>alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS any
            (msg:"SQL Injection - Paranoid"; flow:established;
            content:"http"; nocase; http_raw_uri;
pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(%23)|(\#)|(\%3B)|(\;))/Ii";
            classtype:web-application-attack; sid:30000000; rev:1;)</i></div>
        <div><i><br>
          </i></div>
        <div>Thanks.</div>
        <div><br>
        </div>
        <div style="position:relative;zoom:1">
          <div>Best Regards</div>
          <div>DeJin Wang</div>
        </div>
      </div>
      <br>
      <br>
      <span title="neteasefooter">
        <p> </p>
      </span><br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
    </blockquote>
  </body>
</html>