Snort mailing list archives
Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule
From: 강명훈 <mhkang589 () gmail com>
Date: Mon, 30 Jan 2017 13:46:25 +0900
The file_data option sets the cursor used for detection to one of the following buffers: 1. HTTP response body 2. SMTP/POP/IMAP data body. If you want to restricts the search to the body of an HTTP client request, try use content modifier http_client_body 2017-01-28 23:07 GMT+09:00 Avery Rozar <avery.rozar () insecure-it com>:
I'm trying to setup a rule to deny anyone that is not coming from $VPN_NET from attempting to log into word press. # in snort.conf ip var VPN_NET [cidr,cidr] # in local.rules drop tcp !$VPN_NET any -> $HOME_NET any (msg:"WordPress Login attempt"; flow:to_server,established; file_data; content:"wp-login"; nocase; content: "POST"; nocase; http_method; classtype:misc-activity; sid:500001; rev:1; metadata:policy balanced-ips drop, policy security-ips drop, service http;) This rule seems to stop anything unless the POST is using 'Content-Type: application/x-www-form-urlencoded'. What is the best way to allow snort to deal with urlencoded POSTs, or is my rule just jacked up? Thanks, Avery ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
-- ----------------------- Kang Myoung-hun ----------------------- +82-10 6604 6084 kangmyounghun.blogspot.kr
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Avery Rozar (Jan 28)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Y M (Jan 28)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Avery Rozar (Jan 28)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule 강명훈 (Jan 30)
- Re: Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule Y M (Jan 28)