Snort mailing list archives

Previous By Date Next
Previous By Thread Next

how to inspect http payload

From: 曾代科 <scybzdk () 163 com>
Date: Fri, 25 May 2012 19:47:34 +0800 (CST)
Hey there,


I want to match the contents which included in  http payload  to the http payload that decompressed by snort .


my suggestion is the following:
alert tcp any 80 <> any any (msg:"message";content:"background";file_data;sid:1000001;) 


I can get the message on the console when I use wget command.
eg: wget www.baidu.com


But when I access the same website with browser I can't get the message.
I know the http data compress by gzip,
and I can print the data decompressed to the screen .


why the snort can't match the content to the payload?


The config file is the default snort.conf. I just add a rule in the file.


how do I config the snort.conf ?


i would appreciate any inspiration.


cheers!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: