25Şub
How to bypass the Snort rule?
I am learning Snort rules and faced difficulties with the following excercise.
Give examples of requests which bypass the following rule.
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:100; content:"SUBSTR"; nocase; distance:0; pcre:"/Cookie\x3a.*SELECT.+SUBSTR/i";)
Please help me to find the solutions.
