[Snort-sigs] Newbie: How to monitor posted form data?
KirkA at ...528...
Fri Apr 19 17:52:01 EDT 2002
I need to write a rule that alerts me when a web user submits a specific
string of text into a standard HTML submit form. I have tried using both
"content" and "uricontent" options to catch the string but neither one does
Example scenario: I have a page called "test.asp" upon which there is a
text field and a submit button. I want to get an alert when a user types
"teststring" in the field and clicks submit to post it to my webserver. The
pages involved are not SSL encrypted.
My rule looks like this currently...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Test";flags: A+;
content:"test.asp"; content:"teststring"; nocase;
classtype:web-application-activity; sid:1000002; rev:4;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs