[Snort-sigs] how to inspect http payload

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Fri May 25 08:35:58 EDT 2012


You must have file_data before content so it'll point to correct
buffer before looking for this content.

file_data; content: ....

Regards,

2012/5/25, 曾代科 <scybzdk at ...1318...>:
> Hey there,
>
>
> I want to match the contents which included in  http payload  to the http
> payload that decompressed by snort .
>
>
> my suggestion is the following:
> alert tcp any 80 <> any any
> (msg:"message";content:"background";file_data;sid:1000001;)
>
>
> I can get the message on the console when I use wget command.
> eg: wget www.baidu.com
>
>
> But when I access the same website with browser I can't get the message.
> I know the http data compress by gzip,
> and I can print the data decompressed to the screen .
>
>
> why the snort can't match the content to the payload?
>
>
> The config file is the default snort.conf. I just add a rule in the file.
>
>
> how do I config the snort.conf ?
>
>
> i would appreciate any inspiration.
>
>
> cheers!
>
>

-- 
Enviado do meu celular

Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker




More information about the Snort-sigs mailing list