[Oisf-users] Can anyone give me some help for a suricata rule

bush djw25521 at 163.com
Wed Dec 12 02:51:55 UTC 2018


I write a rule to detect single quotes('), number sign(#),  semicolon(;),  and line-through(--) which appear in HTTP connections; But when i test it, i found the rule can not detect these signs. I do not know what is wrong with this rule. Can anyone give me some help to take a look at it.

The rule: 
alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS any (msg:"SQL Injection - Paranoid"; flow:established; content:"http"; nocase; http_raw_uri; pcre:"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(%23)|(\#)|(\%3B)|(\;))/Ii"; classtype:web-application-attack; sid:30000000; rev:1;)


Best Regards
DeJin Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181212/2dd3248f/attachment.html>

More information about the Oisf-users mailing list