Snort mailing list archives
HTTP preprocessor and POST data
From: Xavi Garcia <xavi.garcia () gmail com>
Date: Thu, 25 Mar 2010 19:26:38 +0100
Hi, I am learning how HTTP Inspect works and also trying to write some rules that use normalized data. I think that all is explained in the documentation and you have done a great job, but I have a doubt regarding the POST data. I am sure that my question is too obvious, but I have tried to find the right answer by myself without luck. :) I see that the newer versions of Snort permit to normalize data from the URI, headers, cookies and the body, but there is nothing about the POST data. I have tried to use the different modifiers for "content" without luck. I understand that POST data cannot be normalized, but there is no mention in the documentation. Am I wrong? In that case, which is the best practice when I want to detect an attack that is using POST instead of GET? Thank you very much for your help :) Regards, Xavier Garcia
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 30)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 30)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 31)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)