[Snort-devel] Content detection in html payload with snort ?

Frederic Charpentier fcharpen at ...2765...
Fri May 20 01:57:40 EDT 2005


Thanks a lot.
I added a specific http_inspect preprocessor avec a flow_depth of 0.

Now it's ok. Cheers. Fred

Matthew Watchinski wrote:
> If you looking for things deep into the server response you'll have to 
> change the configuration for http_inspect.  By default http_inspect only 
> passes the first 300 bytes of server response traffic to the detection 
> engine.
> 
> Try adding "flow_depth 0" to you http_inspect configuration and see if 
> that fixes your problem.
> 
> Cheers,
> -matt
> 
> Frederic Charpentier wrote:
> 
>> hi list,
>> I could not found an answer to my problem, so I ask the list :
>>
>> I use snort to detect attackers playing with my web application.
>> I try to detect some specific text in html response, like "Bad User" ou
>> " Warning Mysql Error". But snort stay blind.
>>
>> Sample :
>> 1 - Attacker   -> web-server : http://server/script.asp?param=' or 1=1--
>> 2 - web-server -> attacker : 200 OK, ......<html>......datatype error....
>>
>> I try to catch the string "datatype error" with a snort rule like that :
>>
>> alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack";
>> flow:from_server,established; content:"datatype error";
>> classtype:web-application-attack; sid:80005; rev:1;)  
>> But Snort never detects that.
>>
>> I try with binary mode, same.
>> When I sniff with ethereal, the packet I try to catch is like that :
>>
>> attcker    -> web-webser  : HTTP : GET  http://server/script.asp?param='
>> web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified    
>> web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE)
>>
>>
>> If anyone have an idea ?
>>
>>
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-- 
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com





More information about the Snort-devel mailing list