Snort mailing list archives
Re: HTTP preprocessor and POST data
From: Xavi Garcia <xavi.garcia () gmail com>
Date: Thu, 25 Mar 2010 20:00:25 +0100
Hi, Thank you for your fast answer. As far I understand, http_uri works like uricontent. It is useful to fix the the resource being requested but then we have to match against the data. I have only been able to do so when I use "content" without modifiers. Regards, Xavier Garcia 2010/3/25 Crook, Parker <Parker_Crook () reyrey com>
Xavi, You can definitely use the (content:”POST”; http_method;) to alert only on POST data; however for the data normalization, I’m having a brain-fart right now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri; pcre:”<more specific criteria>”; -Parker ------------------------------ *From:* Xavi Garcia [mailto:xavi.garcia () gmail com] *Sent:* Thursday, March 25, 2010 2:27 PM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] HTTP preprocessor and POST data Hi, I am learning how HTTP Inspect works and also trying to write some rules that use normalized data. I think that all is explained in the documentation and you have done a great job, but I have a doubt regarding the POST data. I am sure that my question is too obvious, but I have tried to find the right answer by myself without luck. :) I see that the newer versions of Snort permit to normalize data from the URI, headers, cookies and the body, but there is nothing about the POST data. I have tried to use the different modifiers for "content" without luck. I understand that POST data cannot be normalized, but there is no mention in the documentation. Am I wrong? In that case, which is the best practice when I want to detect an attack that is using POST instead of GET? Thank you very much for your help :) Regards, Xavier Garcia
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 26)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 25)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 26)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 30)
- Re: HTTP preprocessor and POST data Matt Watchinski (Mar 30)
- Re: HTTP preprocessor and POST data Xavi Garcia (Mar 31)
- Re: HTTP preprocessor and POST data Crook, Parker (Mar 25)