Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to log the whole GET request ?

How can I log the whole GET request for a http server ? The signature has to trigger if a special string is matching and I would like to get the whole GET request sent to the server, because I want to see if the request was sent by a script or from a browser and what the referer was. Using a regex like GET /hugo.*$ gives me only the first line.

Any ideas ?

4 REPLIES

Re: How to log the whole GET request ?

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

New Member

Re: How to log the whole GET request ?

Actually I did something similiar with Snort rules (which you can easily do with the Ciso signature rules). Basically I looked for any request without the user agent field. So your rule would require probably a http/1. something and must not contain a user agent field. I would use the http part because an attacker may not use host or other common fields.

Cisco Employee

Re: How to log the whole GET request ?

Two CRLF pairs is the key here.

Try something like Get /hugo.*[\r\n][\r\n[\r\n[\r\n]

The Request is terminated by two sets of CRLF pairs, The above regex will accept them in either order.

New Member

Re: How to log the whole GET request ?

Actually that is only correct if there are no other fields associated with the request. If there are other fields then it will be only one \r\n. Some scripted attacks use limited fields for instance Code Red uses the host header and I accept as well. I believe Whisker will use or can use some of ther headers as well.

101
Views
0
Helpful
4
Replies