Snort mailing list archives

s/file_data/http_client_body?

From: Duane Howard <duane.security () gmail com>
Date: Tue, 22 Sep 2015 11:29:23 -0700

Should this rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT
FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established;
*file_data*; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg;
flowbits:noalert; metadata:service http; classtype:misc-activity;
sid:35852; rev:1;)

actually be:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT
FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established;
*http_client_body*; content:"|FF D8 FF E1|"; depth:4;
flowbits:set,file.jpeg; flowbits:noalert; metadata:service http;
classtype:misc-activity; sid:35852; rev:1;)

From my quick read of the manual file_data for http traffic  would map to

the HTTP response body, from teh server, instead of the client body to the
server. I *think* this rule is trying to find JPEG's POSTed (or similar) to
a server in my HOME_NET. Will file_data actually work in this case?

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

s/file_data/http_client_body? Duane Howard (Sep 22)