Snort mailing list archives
how to inspect http payload
From: 曾代科 <scybzdk () 163 com>
Date: Fri, 25 May 2012 19:47:34 +0800 (CST)
Hey there, I want to match the contents which included in http payload to the http payload that decompressed by snort . my suggestion is the following: alert tcp any 80 <> any any (msg:"message";content:"background";file_data;sid:1000001;) I can get the message on the console when I use wget command. eg: wget www.baidu.com But when I access the same website with browser I can't get the message. I know the http data compress by gzip, and I can print the data decompressed to the screen . why the snort can't match the content to the payload? The config file is the default snort.conf. I just add a rule in the file. how do I config the snort.conf ? i would appreciate any inspiration. cheers!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- how to inspect http payload 曾代科 (May 25)
- Re: how to inspect http payload Rodrigo Montoro(Sp0oKeR) (May 25)
- Re: how to inspect http payload lists () packetmail net (May 25)