Re: http_client_data and logging

[Joel Esler <jesler () sourcefire com>]

Eoin,

Okay, let me talk with devel.

On Thu, May 26, 2011 at 10:54 AM, Eoin Miller <
eoin.miller () trojanedbinaries com> wrote:

> On 5/26/2011 2:42 PM, Joel Esler wrote:
>
> > Do you have a tagged packet?
> >
> > Are you logging in pcap mode or unified2?
> >
> >  Unified2.  Example rule and a cleaned up packet that was logged:
>
> Rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST
> http_client_body contains pw="; content:"pw="; http_client_body;
> classtype:policy-violation; sid:5500003; rev:1;)
>
> POST <REDACTED> HTTP/1.1
> Host: <REDACTED>
> User-Agent: Firefox/3.6.3 CFNetwork/454.5 Darwin/10.2.0 (i386)
> (MacPro4%2C1)
> Content-Type: application/x-fcs
> Content-Length: 1537
> Connection: close
>
> The alerting lacks the frame that contains the actual content match. Unless
> your client happens to have really short headers and not split POST data
> into another packet as the header, your alerts never contain the contents of
> http_client_body.
>
> -- Eoin
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users