Snort mailing list archives
[snort-users] uricontent
From: pierz <pierz () indahax com>
Date: Thu, 13 Dec 2007 15:54:36 +0100
Ok you probably didn't understood my crappy english. The input/parameter/whatever of name 'check' with the value 'pierz' is not a part of the uri. This packet doesn't have to alert. Another example, look at this two rulz : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:".php in uri"; flow:established,to_server; uricontent:".php"; nocase; sid:123; ) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:".php and http in uri"; flow:established,to_server; uricontent:".php"; nocase; uricontent:"http"; nocase; sid:456; ) Now, look at the following packets, they are only detected by the 1st rulz : [PACKET1] POST / HTTP/1.1 Host: 192.168.1.2 Content-type: application/x-www-form-urlencoded postinput=.php [/PACKET1] [PACKET2] GET /somefile.php HTTP/1.1 Host: 192.168.1.2 [/PACKET2] [PACKET3] POST /somefile.php HTTP/1.1 Host: 192.168.1.2 Content-type: application/x-www-form-urlencoded backdoor=http [/PACKET3] Ok, i think PACKET1 should not be detected regarding the snort rulz, cause postinput=.php is not a part of the uri. Now if the PACKET1 match the first rulz, i don't understand why PACKET3 don't match the second rulz ! I'm using the lastest version of snort. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [snort-users] uricontent pierz (Dec 13)
- Re: [snort-users] uricontent Keith Konecnik (Dec 13)