Snort mailing list archives
snort rule to detect HTTP POST data
From: "Shah, Neeraj A. \(IntlCtr\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 28 Mar 2018 20:27:24 +0000
Hello All, Looking for help for creating a rule which can alert when a default password is sent across HTTP session. I am trying to capture when someone logs in to http://ip-addr of my switch web UI with default password. I have tried the below rules and none of them are working. I can see the default pwd password in cleartext in the pcap file yet snort is not alerting. Is it because snort handles HTTP FORM POST data differently? alert tcp $HOME_NET any -> $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "pwd=password" ; nocase; sid:10000009;rev:1;) alert tcp $HOME_NET any -> $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "password"; nocase; sid:10000009;rev:1;) alert tcp $HOME_NET any -> $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password"; flow:established,to_server; content:"POST"; nocase; http_method; uricontent:"/base/cheetah_login.html "; content:"password"; nocase; sid:10000009;rev:1;) Below is a snippet of PCAP file. [cid:image001.png@01D3C6B1.A65ADCC0] Thanks in advance Neeraj
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- snort rule to detect HTTP POST data Shah, Neeraj A. (IntlCtr) via Snort-users (Mar 28)