Snort mailing list archives
[Help]: how to use pcre to match against normalized HTTP POST data?
From: Maxim <hittlle () 163 com>
Date: Wed, 6 Jul 2016 13:30:28 +0800 (CST)
Hi all, How to use keyword pcre in snort rules to match against normalized HTTP POST data? I configured http_inspect post_depth to 0, and tried the following rule but failed. alert tcp any any -> 192.168.4.100 80 (sid: 9100001; msg:"test-decoded-post-body"; content:"select";nocase;http_client_body;pcre:"/select/i"; rev: 1;); I cannot find any information regarding this in the official document. Plus, if I use http_client_body and set post_depth to 0, can I get normalized HTTP POST body? By normalized, I mean decoded form-data and x-www-form-urlencoded data? Can I do that? What configuration items are required to do this? Many thanks. Hittlle
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [Help]: how to use pcre to match against normalized HTTP POST data? Maxim (Jul 05)