Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[Help]: how to use pcre to match against normalized HTTP POST data?

From: Maxim <hittlle () 163 com>
Date: Wed, 6 Jul 2016 13:30:28 +0800 (CST)
Hi all, 


How to use keyword pcre in snort rules to match against normalized HTTP POST data? I configured http_inspect post_depth 
to 0, and  tried the following rule but failed.


                    alert tcp any any -> 192.168.4.100 80 (sid: 9100001; msg:"test-decoded-post-body"; 
content:"select";nocase;http_client_body;pcre:"/select/i"; rev: 1;);


 I cannot find any information regarding this in the official document. Plus, if I use http_client_body and set 
post_depth to 0, can I get normalized HTTP POST body? By normalized, I mean decoded form-data and x-www-form-urlencoded 
data? Can I do that? What configuration items are required to do this? Many thanks.


Hittlle
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: