Full Disclosure mailing list archives
Content detection in html payload with snort ?
From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Thu, 19 May 2005 12:44:15 +0200
hi list, I could not found an answer to my problem, so I ask the list : I use snort to detect attackers playing with my web application.I try to detect some specific text in html response, like "Bad User" ou " Warning Mysql Error". But snort stay blind.
Sample : 1 - Attacker -> web-server : http://server/script.asp?param=' or 1=1-- 2 - web-server -> attacker : 200 OK, ......<html>......datatype error.... I try to catch the string "datatype error" with a snort rule like that :alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack"; flow:from_server,established; content:"datatype error"; classtype:web-application-attack; sid:80005; rev:1;)
But Snort never detects that. I try with binary mode, same. When I sniff with ethereal, the packet I try to catch is like that : attcker -> web-webser : HTTP : GET http://server/script.asp?param=' web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE) If anyone have an idea ? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability, (continued)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Graham Reed (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ZATAZ.net (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Content detection in html payload with snort ? Frederic Charpentier (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 19)
- Message not available
- Message not available
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Ports used by trogens Who? (May 21)