[Snort-sigs] HTML Form URL Encoded

Steven Fitzpatrick sfitzpatrick at ...4050...
Wed Jul 15 11:44:39 EDT 2015

Good afternoon,

I captured a packet in wire shark to capture showing passwords being sent in clear text so want to create an alert for this but having some issues.

In the packet it's got HTML Form URL encoded and then the various form fields which one of these is Form Item: "j_password"

My rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:""; flow:to_server; content:"POST"; http_method; content:"j|5f|password"; nocase; sid:1000000; rev:1;)

I am new to rule writing so sure that above probably isn't the best way to go about it but it's not triggering.

Any ideas?



[cid:image001.jpg at ...4051...]<http://www.plymouthsciencepark.com/>

Steven Fitzpatrick
ICT Support Technician

T: 01752 762118
E: sfitzpatrick at ...4052...<mailto:sfitzpatrick at ...4052...>


[cid:image010.jpg at ...4053...]<https://www.facebook.com/plymouthsciencepark>[cid:image011.jpg at ...4053...]<https://twitter.com/PlymSciencePark>[cid:image012.jpg at ...4053...]<https://www.linkedin.com/groups/Plymouth-Science-Park-2273525?trk=my_groups-b-grp-v>


Plymouth Science Park Limited, 1 Davy Road, Plymouth, PL6 8BX. Registered in England No. 3157625
DISCLAIMER: This correspondence contains proprietary information, some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this correspondence, please notify the author. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this correspondence. The contents, comments or views expressed within do not necessarily reflect those of Plymouth Science Park Ltd, its affiliates or associates and are not intended to create legal relations with the recipient. If you want to know more about Plymouth Science Park, visit us on the web at www.plymouthsciencepark.com or contact us on 01752 772200.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/f32cda63/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6386 bytes
Desc: image001.jpg
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/f32cda63/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1095 bytes
Desc: image002.jpg
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/f32cda63/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1104 bytes
Desc: image003.jpg
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/f32cda63/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1100 bytes
Desc: image004.jpg
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/f32cda63/attachment-0003.jpg>

More information about the Snort-sigs mailing list