[Snort-sigs] how to inspect http payload

曾代科 scybzdk at ...1318...
Fri May 25 07:47:34 EDT 2012

Hey there,

I want to match the contents which included in  http payload  to the http payload that decompressed by snort .

my suggestion is the following:
alert tcp any 80 <> any any (msg:"message";content:"background";file_data;sid:1000001;) 

I can get the message on the console when I use wget command.
eg: wget www.baidu.com

But when I access the same website with browser I can't get the message.
I know the http data compress by gzip,
and I can print the data decompressed to the screen .

why the snort can't match the content to the payload?

The config file is the default snort.conf. I just add a rule in the file.

how do I config the snort.conf ?

i would appreciate any inspiration.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120525/89c9299a/attachment.html>

More information about the Snort-sigs mailing list