Snort mailing list archives
Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule
From: Avery Rozar <avery.rozar () insecure-it com>
Date: Sat, 28 Jan 2017 09:07:09 -0500
I'm trying to setup a rule to deny anyone that is not coming from $VPN_NET from attempting to log into word press. # in snort.conf ip var VPN_NET [cidr,cidr] # in local.rules drop tcp !$VPN_NET any -> $HOME_NET any (msg:"WordPress Login attempt"; flow:to_server,established; file_data; content:"wp-login"; nocase; content: "POST"; nocase; http_method; classtype:misc-activity; sid:500001; rev:1; metadata:policy balanced-ips drop, policy security-ips drop, service http;) This rule seems to stop anything unless the POST is using 'Content-Type: application/x-www-form-urlencoded'. What is the best way to allow snort to deal with urlencoded POSTs, or is my rule just jacked up? Thanks, Avery
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Avery Rozar (Jan 28)