Snort mailing list archives
Re: snort rule to detect HTTP POST data
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Tue, 3 Apr 2018 04:54:04 +0000
Betting it's how you have your variables configured in your snort.conf On Mar 28, 2018, at 3:27 PM, Shah, Neeraj A. (IntlCtr) via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: Hello All, Looking for help for creating a rule which can alert when a default password is sent across HTTP session. I am trying to capture when someone logs in to http://ip-addr<http://ip-addr/> of my switch web UI with default password. I have tried the below rules and none of them are working. I can see the default pwd password in cleartext in the pcap file yet snort is not alerting. Is it because snort handles HTTP FORM POST data differently? alert tcp $HOME_NET any -> $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "pwd=password" ; nocase; sid:10000009;rev:1;) alert tcp $HOME_NET any -> $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "password"; nocase; sid:10000009;rev:1;) alert tcp $HOME_NET any -> $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password"; flow:established,to_server; content:"POST"; nocase; http_method; uricontent:"/base/cheetah_login.html "; content:"password"; nocase; sid:10000009;rev:1;) Below is a snippet of PCAP file. <image001.png> Thanks in advance Neeraj _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: snort rule to detect HTTP POST data Joel Esler (jesler) via Snort-users (Apr 02)
- Re: snort rule to detect HTTP POST data Al Lewis (allewi) via Snort-users (Apr 03)
- <Possible follow-ups>
- Re: snort rule to detect HTTP POST data Neeraj Shah (Apr 03)