[Snort-sigs] how to inspect http payload

曾代科 scybzdk at ...1318...
Fri May 25 07:47:34 EDT 2012


Hey there,


I want to match the contents which included in  http payload  to the http payload that decompressed by snort .


my suggestion is the following:
alert tcp any 80 <> any any (msg:"message";content:"background";file_data;sid:1000001;) 


I can get the message on the console when I use wget command.
eg: wget www.baidu.com


But when I access the same website with browser I can't get the message.
I know the http data compress by gzip,
and I can print the data decompressed to the screen .


why the snort can't match the content to the payload?


The config file is the default snort.conf. I just add a rule in the file.


how do I config the snort.conf ?


i would appreciate any inspiration.


cheers!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120525/89c9299a/attachment.html>


More information about the Snort-sigs mailing list