[Oisf-users] writing custom rule
Vieri
rentorbuy at yahoo.com
Fri Feb 22 01:19:29 UTC 2019
Hi,
I'd like to drop a connection when a web client tries to access a URI such as:
https://mydomain.org/path/index.php?something=' type='text'> <script>prompt(1)</script> <a alt='
I tried these custom rules:
drop http $EXTERNAL_NET any -> any any (msg:"Custom Block Policy for code injection"; flow:established,to_server; content:"/"; nocase; http_uri; content:"/"; nocase; http_uri; pcre:"/<script\>.*<\/script\>/i"; classtype:web-application-attack; sid:5010004; rev:1;)
drop tcp $EXTERNAL_NET any -> any any (msg:"Custom Block Policy for code injection via tcp"; flow:established,to_server; content:"/"; pcre:"/<script\>.*<\/script\>/i"; classtype:web-application-attack; sid:5010005; rev:1;)
However, none of these two rules seem to match.
Actually, maybe SID 2009714 should match before these custom rules, but it doesn't.
I'm supposing it's because it's https instead of http, so the GET parameters are not in clear text.
If so, how could I apply these rules to https?
Vieri
More information about the Oisf-users
mailing list