All snort rules I've taken a look so far use a wrong first match for content:"T "; offset:2; depth:3; that is separately matched to the actual "GET /..." URLs.
A simple "GET /swip/Events" would suffice (as even the HTTP/1 suffix is unnecessary, actually). Depending on the final rule parser and software, some IDS might cause false positive alerts because of this.
All snort rules I've taken a look so far use a wrong first match for
content:"T "; offset:2; depth:3;
that is separately matched to the actual "GET /..." URLs.A simple "GET /swip/Events" would suffice (as even the HTTP/1 suffix is unnecessary, actually). Depending on the final rule parser and software, some IDS might cause false positive alerts because of this.