Snort mailing list archives
Re: Feasibility of bogus cookie checking
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 31 Mar 2011 14:42:20 -0400
Longer term ... still a perf hit, but we could add a preprocessor alert. On Thu, Mar 31, 2011 at 2:32 PM, Joel Esler <jesler () sourcefire com> wrote:
Interesting that is. The Regex would be horrible to do for proper detection, but it could be done. Joel On Thu, Mar 31, 2011 at 12:02 PM, Lay, James <james.lay () wincofoods com>wrote:Team, So…seen a couple surprises this morning…one of which was a hit to a pharm site…the pcap shows something interesting though: HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 31 Mar 2011 14:05:09 GMT Content-Type: text/html; charset=ISO-8859-1 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=4u250jlgq57p0c51k2p3beg5n6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent What caught my attention was the Expired entry….like WAY in the past. Would it be feasible to create a rule based on cookie expiration dates in the past? Thoughts welcome…thanks. James ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feasibility of bogus cookie checking Lay, James (Mar 31)
- Re: Feasibility of bogus cookie checking Joel Esler (Mar 31)
- Re: Feasibility of bogus cookie checking Russ Combs (Mar 31)
- Re: Feasibility of bogus cookie checking Lay, James (Mar 31)
- Re: Feasibility of bogus cookie checking Daniel Shepherd (Mar 31)
- Re: Feasibility of bogus cookie checking Joel Esler (Mar 31)