snort rule to detect HTTP POST data

["Shah, Neeraj A. \(IntlCtr\) via Snort-users" <snort-users () lists snort org>]

Hello All,



Looking for help for creating a rule which can alert when a default password is sent across HTTP session. I am trying 
to capture when someone logs in to http://ip-addr of my switch web UI with default password.  I have tried the below 
rules and none of them are working. I can see the default pwd password in cleartext in the pcap file yet snort is not 
alerting. Is it because snort handles HTTP FORM POST data differently?





alert tcp $HOME_NET any ->  $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "pwd=password" ; 
nocase; sid:10000009;rev:1;)

alert tcp $HOME_NET any ->  $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "password"; nocase; 
sid:10000009;rev:1;)



alert tcp $HOME_NET any ->  $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password"; flow:established,to_server; 
content:"POST"; nocase; http_method; uricontent:"/base/cheetah_login.html "; content:"password"; nocase; 
sid:10000009;rev:1;)





Below is a snippet of PCAP file.



[cid:image001.png@01D3C6B1.A65ADCC0]



Thanks in advance

Neeraj

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette