2 of 2 people found this helpful
As Peter says the Custom Attack Editor guide is great to get these working... I always have to test and re-test though to make sure they only trigger for the content I want....and deploy alert only first
Try this as the string to search in URI:
That should match the /546*34, but you must make sure the other parameters are OK (get,post,etc) if using UDS. If using snort, then simply specifying content:"\/546\*34"; http_uri; should work ( I think!)
I would also suggest you bookmark regex101.com - it has really helped me working out the strings to use on UDS or SNORT rules,so hopefully it helps you too guys. Just remember you don't always need pcre, but strings used could be similar.