[Snort-devel] Content detection in html payload with snort ?
mwatchinski at ...402...
Thu May 19 10:48:20 EDT 2005
If you looking for things deep into the server response you'll have to
change the configuration for http_inspect. By default http_inspect only
passes the first 300 bytes of server response traffic to the detection
Try adding "flow_depth 0" to you http_inspect configuration and see if
that fixes your problem.
Frederic Charpentier wrote:
> hi list,
> I could not found an answer to my problem, so I ask the list :
> I use snort to detect attackers playing with my web application.
> I try to detect some specific text in html response, like "Bad User" ou
> " Warning Mysql Error". But snort stay blind.
> Sample :
> 1 - Attacker -> web-server : http://server/script.asp?param=' or 1=1--
> 2 - web-server -> attacker : 200 OK, ......<html>......datatype error....
> I try to catch the string "datatype error" with a snort rule like that :
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack";
> flow:from_server,established; content:"datatype error";
> classtype:web-application-attack; sid:80005; rev:1;)
> But Snort never detects that.
> I try with binary mode, same.
> When I sniff with ethereal, the packet I try to catch is like that :
> attcker -> web-webser : HTTP : GET http://server/script.asp?param='
> web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified
> web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE)
> If anyone have an idea ?
More information about the Snort-devel