Snort mailing list archives
Re: http_client_data and logging
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 26 May 2011 10:58:33 -0400
Eoin, Okay, let me talk with devel. On Thu, May 26, 2011 at 10:54 AM, Eoin Miller < eoin.miller () trojanedbinaries com> wrote:
On 5/26/2011 2:42 PM, Joel Esler wrote:Do you have a tagged packet? Are you logging in pcap mode or unified2? Unified2. Example rule and a cleaned up packet that was logged:Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST http_client_body contains pw="; content:"pw="; http_client_body; classtype:policy-violation; sid:5500003; rev:1;) POST <REDACTED> HTTP/1.1 Host: <REDACTED> User-Agent: Firefox/3.6.3 CFNetwork/454.5 Darwin/10.2.0 (i386) (MacPro4%2C1) Content-Type: application/x-fcs Content-Length: 1537 Connection: close The alerting lacks the frame that contains the actual content match. Unless your client happens to have really short headers and not split POST data into another packet as the header, your alerts never contain the contents of http_client_body. -- Eoin
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_client_data and logging Eoin Miller (May 25)
- Re: http_client_data and logging James Lay (May 25)
- Re: http_client_data and logging Eoin Miller (May 26)
- Re: http_client_data and logging Joel Esler (May 26)
- Re: http_client_data and logging Eoin Miller (May 26)
- Re: http_client_data and logging Joel Esler (May 26)
- Re: http_client_data and logging Eoin Miller (May 26)
- Re: http_client_data and logging Joel Esler (May 26)
- Re: http_client_data and logging beenph (May 26)
- Re: http_client_data and logging Edward Fjellskål (May 26)
- Re: http_client_data and logging Eoin Miller (May 26)
- Re: http_client_data and logging James Lay (May 25)
- Re: http_client_data and logging Lay, James (May 26)