Snort mailing list archives

Feasibility of bogus cookie checking

From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 31 Mar 2011 10:02:23 -0600

Team,

 

So...seen a couple surprises this morning...one of which was a hit to a
pharm site...the pcap shows something interesting though:

 

HTTP/1.1 200 OK

Server: nginx/0.8.53

Date: Thu, 31 Mar 2011 14:05:09 GMT

Content-Type: text/html; charset=ISO-8859-1

Transfer-Encoding: chunked

Connection: close

X-Powered-By: PHP/5.1.6

Set-Cookie: PHPSESSID=4u250jlgq57p0c51k2p3beg5n6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0

Pragma: no-cache

Vary: Accept-Encoding,User-Agent

 

What caught my attention was the Expired entry....like WAY in the past.
Would it be feasible to create a rule based on cookie expiration dates
in the past?  Thoughts welcome...thanks.

 

James

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Feasibility of bogus cookie checking Lay, James (Mar 31)
- Re: Feasibility of bogus cookie checking Joel Esler (Mar 31)
  - Re: Feasibility of bogus cookie checking Russ Combs (Mar 31)
  - Re: Feasibility of bogus cookie checking Lay, James (Mar 31)
    - Re: Feasibility of bogus cookie checking Daniel Shepherd (Mar 31)