Snort mailing list archives
Feasibility of bogus cookie checking
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 31 Mar 2011 10:02:23 -0600
Team, So...seen a couple surprises this morning...one of which was a hit to a pharm site...the pcap shows something interesting though: HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 31 Mar 2011 14:05:09 GMT Content-Type: text/html; charset=ISO-8859-1 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=4u250jlgq57p0c51k2p3beg5n6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent What caught my attention was the Expired entry....like WAY in the past. Would it be feasible to create a rule based on cookie expiration dates in the past? Thoughts welcome...thanks. James
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feasibility of bogus cookie checking Lay, James (Mar 31)
- Re: Feasibility of bogus cookie checking Joel Esler (Mar 31)
- Re: Feasibility of bogus cookie checking Russ Combs (Mar 31)
- Re: Feasibility of bogus cookie checking Lay, James (Mar 31)
- Re: Feasibility of bogus cookie checking Daniel Shepherd (Mar 31)
- Re: Feasibility of bogus cookie checking Joel Esler (Mar 31)