Snort mailing list archives
Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule
From: Y M <snort () outlook com>
Date: Sat, 28 Jan 2017 14:42:32 +0000
You are using the file_data buffer, which as far as I know is used with responses, however, your rule is attempting to trigger on requests through the rule direction and the flow configuration, or at least that's what I am seeing. Please correct me if I misunderstood your question. If you remove the file_data from the rule, what happens? Also if you want to be more specific in your rule, you can add a content detection to detect the content-type header. YM _____________________________ From: Avery Rozar <avery.rozar () insecure-it com<mailto:avery.rozar () insecure-it com>> Sent: Saturday, January 28, 2017 5:34 PM Subject: [Snort-sigs] Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule To: <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> I'm trying to setup a rule to deny anyone that is not coming from $VPN_NET from attempting to log into word press. # in snort.conf ip var VPN_NET [cidr,cidr] # in local.rules drop tcp !$VPN_NET any -> $HOME_NET any (msg:"WordPress Login attempt"; flow:to_server,established; file_data; content:"wp-login"; nocase; content: "POST"; nocase; http_method; classtype:misc-activity; sid:500001; rev:1; metadata:policy balanced-ips drop, policy security-ips drop, service http;) This rule seems to stop anything unless the POST is using 'Content-Type: application/x-www-form-urlencoded'. What is the best way to allow snort to deal with urlencoded POSTs, or is my rule just jacked up? Thanks, Avery
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Avery Rozar (Jan 28)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Y M (Jan 28)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Avery Rozar (Jan 28)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule 강명훈 (Jan 30)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Y M (Jan 28)