[Snort-sigs] how to inspect http payload
scybzdk at ...1318...
Fri May 25 07:47:34 EDT 2012
I want to match the contents which included in http payload to the http payload that decompressed by snort .
my suggestion is the following:
alert tcp any 80 <> any any (msg:"message";content:"background";file_data;sid:1000001;)
I can get the message on the console when I use wget command.
eg: wget www.baidu.com
But when I access the same website with browser I can't get the message.
I know the http data compress by gzip,
and I can print the data decompressed to the screen .
why the snort can't match the content to the payload?
The config file is the default snort.conf. I just add a rule in the file.
how do I config the snort.conf ?
i would appreciate any inspiration.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs