[Snort-devel] Content detection in html payload with snort ?

Matthew Watchinski mwatchinski at ...402...
Thu May 19 10:48:20 EDT 2005


If you looking for things deep into the server response you'll have to 
change the configuration for http_inspect.  By default http_inspect only 
passes the first 300 bytes of server response traffic to the detection 
engine.

Try adding "flow_depth 0" to you http_inspect configuration and see if 
that fixes your problem.

Cheers,
-matt

Frederic Charpentier wrote:

> hi list,
> I could not found an answer to my problem, so I ask the list :
>
> I use snort to detect attackers playing with my web application.
> I try to detect some specific text in html response, like "Bad User" ou
> " Warning Mysql Error". But snort stay blind.
>
> Sample :
> 1 - Attacker   -> web-server : http://server/script.asp?param=' or 1=1--
> 2 - web-server -> attacker : 200 OK, ......<html>......datatype error....
>
> I try to catch the string "datatype error" with a snort rule like that :
>
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack";
> flow:from_server,established; content:"datatype error";
> classtype:web-application-attack; sid:80005; rev:1;)   
>
> But Snort never detects that.
>
> I try with binary mode, same.
> When I sniff with ethereal, the packet I try to catch is like that :
>
> attcker    -> web-webser  : HTTP : GET  http://server/script.asp?param='
> web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified    
> web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE)
>
>
> If anyone have an idea ?
>
>
>





More information about the Snort-devel mailing list