Re: HTML Form URL Encoded

[Alex McDonnell <amcdonnell () sourcefire com>]

If you have a packet, that's the best way for us to help troubleshoot your
rule. Note that you don't have to turn _ into |5F| in your content match.

thanks
Alex McDonnell
TALOS

On Wed, Jul 15, 2015 at 11:44 AM, Steven Fitzpatrick <
sfitzpatrick () sciencepark org uk> wrote:

>  Good afternoon,
>
>
>
> I captured a packet in wire shark to capture showing passwords being sent
> in clear text so want to create an alert for this but having some issues.
>
>
>
> In the packet it’s got HTML Form URL encoded and then the various form
> fields which one of these is Form Item: “j_password”
>
>
>
> My rule is:
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:""; flow:to_server;
> content:"POST"; http_method; content:"j|5f|password"; nocase; sid:1000000;
> rev:1;)
>
>
>
> I am new to rule writing so sure that above probably isn’t the best way to
> go about it but it’s not triggering.
>
>
>
> Any ideas?
>
>
>
> Thanks
>
>
>  ------------------------------
>
>
>
> [image: cid:image001.jpg@01CF4A6C.7393E770]
> <http://www.plymouthsciencepark.com/>
>
>
>
> *Steven Fitzpatrick*
> ICT Support Technician
>
>
>
> *T:* 01752 762118
> *E:* sfitzpatrick () plymouthsciencepark com
>
>
>
> www.plymouthsciencepark.com
>
> [image: cid:image010.jpg@01CF3F6A.F9A8B460]
> <https://www.facebook.com/plymouthsciencepark>[image:
> cid:image011.jpg@01CF3F6A.F9A8B460] <https://twitter.com/PlymSciencePark>[image:
> cid:image012.jpg@01CF3F6A.F9A8B460]
> <https://www.linkedin.com/groups/Plymouth-Science-Park-2273525?trk=my_groups-b-grp-v>
>
>
>  ------------------------------
>
>
>  ------------------------------
> Plymouth Science Park Limited, 1 Davy Road, Plymouth, PL6 8BX. Registered
> in England No. 3157625 DISCLAIMER: This correspondence contains
> proprietary information, some or all of which may be legally privileged. It
> is for the intended recipient only. If an addressing or transmission error
> has misdirected this correspondence, please notify the author. If you are
> not the intended recipient you must not use, disclose, distribute, copy,
> print or rely on this correspondence. The contents, comments or views
> expressed within do not necessarily reflect those of Plymouth Science Park
> Ltd, its affiliates or associates and are not intended to create legal
> relations with the recipient. If you want to know more about Plymouth
> Science Park, visit us on the web at www.plymouthsciencepark.com or
> contact us on 01752 772200.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!