[Snort-devel] Content detection in html payload with snort ?
fcharpen at ...2765...
Fri May 20 01:57:40 EDT 2005
Thanks a lot.
I added a specific http_inspect preprocessor avec a flow_depth of 0.
Now it's ok. Cheers. Fred
Matthew Watchinski wrote:
> If you looking for things deep into the server response you'll have to
> change the configuration for http_inspect. By default http_inspect only
> passes the first 300 bytes of server response traffic to the detection
> Try adding "flow_depth 0" to you http_inspect configuration and see if
> that fixes your problem.
> Frederic Charpentier wrote:
>> hi list,
>> I could not found an answer to my problem, so I ask the list :
>> I use snort to detect attackers playing with my web application.
>> I try to detect some specific text in html response, like "Bad User" ou
>> " Warning Mysql Error". But snort stay blind.
>> Sample :
>> 1 - Attacker -> web-server : http://server/script.asp?param=' or 1=1--
>> 2 - web-server -> attacker : 200 OK, ......<html>......datatype error....
>> I try to catch the string "datatype error" with a snort rule like that :
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack";
>> flow:from_server,established; content:"datatype error";
>> classtype:web-application-attack; sid:80005; rev:1;)
>> But Snort never detects that.
>> I try with binary mode, same.
>> When I sniff with ethereal, the packet I try to catch is like that :
>> attcker -> web-webser : HTTP : GET http://server/script.asp?param='
>> web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified
>> web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE)
>> If anyone have an idea ?
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web : http://www.xmcopartners.com
More information about the Snort-devel