Re: http_client_data and logging

[Eoin Miller <eoin.miller () trojanedbinaries com>]

On 5/26/2011 2:42 PM, Joel Esler wrote:
> Do you have a tagged packet?
>
> Are you logging in pcap mode or unified2?
Unified2.  Example rule and a cleaned up packet that was logged:

Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST 
http_client_body contains pw="; content:"pw="; http_client_body; 
classtype:policy-violation; sid:5500003; rev:1;)

POST <REDACTED> HTTP/1.1
Host: <REDACTED>
User-Agent: Firefox/3.6.3 CFNetwork/454.5 Darwin/10.2.0 (i386) (MacPro4%2C1)
Content-Type: application/x-fcs
Content-Length: 1537
Connection: close

The alerting lacks the frame that contains the actual content match. 
Unless your client happens to have really short headers and not split 
POST data into another packet as the header, your alerts never contain 
the contents of http_client_body.

-- Eoin



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users