Snort mailing list archives

Previous By Date Next
Previous By Thread Next

HTML Form URL Encoded

From: Steven Fitzpatrick <sfitzpatrick () sciencepark org uk>
Date: Wed, 15 Jul 2015 15:44:39 +0000
Good afternoon,

I captured a packet in wire shark to capture showing passwords being sent in clear text so want to create an alert for 
this but having some issues.

In the packet it's got HTML Form URL encoded and then the various form fields which one of these is Form Item: 
"j_password"

My rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:""; flow:to_server; content:"POST"; http_method; 
content:"j|5f|password"; nocase; sid:1000000; rev:1;)

I am new to rule writing so sure that above probably isn't the best way to go about it but it's not triggering.

Any ideas?

Thanks

________________________________



[cid:image001.jpg@01CF4A6C.7393E770]<http://www.plymouthsciencepark.com/>



Steven Fitzpatrick
ICT Support Technician



T: 01752 762118
E: sfitzpatrick () plymouthsciencepark com<mailto:sfitzpatrick () plymouthsciencepark com>



www.plymouthsciencepark.com<http://www.plymouthsciencepark.com/>

[cid:image010.jpg@01CF3F6A.F9A8B460]<https://www.facebook.com/plymouthsciencepark>[cid:image011.jpg@01CF3F6A.F9A8B460]<https://twitter.com/PlymSciencePark>[cid:image012.jpg@01CF3F6A.F9A8B460]<https://www.linkedin.com/groups/Plymouth-Science-Park-2273525?trk=my_groups-b-grp-v>


________________________________

________________________________
Plymouth Science Park Limited, 1 Davy Road, Plymouth, PL6 8BX. Registered in England No. 3157625
DISCLAIMER: This correspondence contains proprietary information, some or all of which may be legally privileged. It is 
for the intended recipient only. If an addressing or transmission error has misdirected this correspondence, please 
notify the author. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on 
this correspondence. The contents, comments or views expressed within do not necessarily reflect those of Plymouth 
Science Park Ltd, its affiliates or associates and are not intended to create legal relations with the recipient. If 
you want to know more about Plymouth Science Park, visit us on the web at www.plymouthsciencepark.com or contact us on 
01752 772200.


------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: