Snort Rules: Ep.9 – Exploit Kits

Question

I am pulling my hair with question number 8

Create a Snort rule to detect the third GET request in the second PCAP file, then submit the token.

This one should do it but it is not working.
alert tcp any any -> any any (msg:"detect the third GET request"; content:"e31e6edb08bf0ae9fbb32210b24540b6fl"; sid:1000001)

I tried so many rules base on the first GET header and still unable to get the token. Any tips?

samdickison · Answer

Hey retornet​, I've seen that Stark​ and bluejacket​ have completed this. I wonder if they have any tips for you :-D
If not I can get some help from one of the team.

Forum Discussion

Snort Rules: Ep.9 – Exploit Kits

1 Reply

Featured Places

Help & Support Forum

Related Content

Snort Rules: Ep.7 – Lokibot Infection Traffic

Snort Rules: Ep.5 – Fake Tech Support Popup

Pen Test CTFs: Jinja2 Exploitation

Cross-Site Scripting: Ep.6 – Further Exploitation

Human Connection Challenge: Season 1 – Web Exploitation - XSS

Recent Discussions

Incident Response: P2 - stuck on Q11

Python: Expert Challenge 3

Haunted Hollow 2023: Haywire Host

CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive Question

Kusto Query Language: Ep.9 – Parsing Complex Data Types.