[Snort-sigs] Newbie: How to monitor posted form data?

Kirk Anderson KirkA at ...528...
Fri Apr 19 17:52:01 EDT 2002

I need to write a rule that alerts me when a web user submits a specific
string of text into a standard HTML submit form.  I have tried using both
"content" and "uricontent" options to catch the string but neither one does
the trick.

Example scenario:   I have a page called "test.asp" upon which there is a
text field and a submit button.  I want to get an alert when a user types
"teststring" in the field and clicks submit to post it to my webserver.  The
pages involved are not SSL encrypted.

My rule looks like this currently...

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Test";flags: A+;
content:"test.asp"; content:"teststring"; nocase;
classtype:web-application-activity; sid:1000002; rev:4;) 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020419/9b9d8f88/attachment.html>

More information about the Snort-sigs mailing list