[Snort-sigs] HTML Form URL Encoded

Alex McDonnell amcdonnell at ...435...
Wed Jul 15 12:19:50 EDT 2015


If you have a packet, that's the best way for us to help troubleshoot your
rule. Note that you don't have to turn _ into |5F| in your content match.

thanks
Alex McDonnell
TALOS

On Wed, Jul 15, 2015 at 11:44 AM, Steven Fitzpatrick <
sfitzpatrick at ...4050...> wrote:

>  Good afternoon,
>
>
>
> I captured a packet in wire shark to capture showing passwords being sent
> in clear text so want to create an alert for this but having some issues.
>
>
>
> In the packet it’s got HTML Form URL encoded and then the various form
> fields which one of these is Form Item: “j_password”
>
>
>
> My rule is:
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:""; flow:to_server;
> content:"POST"; http_method; content:"j|5f|password"; nocase; sid:1000000;
> rev:1;)
>
>
>
> I am new to rule writing so sure that above probably isn’t the best way to
> go about it but it’s not triggering.
>
>
>
> Any ideas?
>
>
>
> Thanks
>
>
>  ------------------------------
>
>
>
> [image: cid:image001.jpg at ...4051...]
> <http://www.plymouthsciencepark.com/>
>
>
>
> *Steven Fitzpatrick*
> ICT Support Technician
>
>
>
> *T:* 01752 762118
> *E:* sfitzpatrick at ...4052...
>
>
>
> www.plymouthsciencepark.com
>
> [image: cid:image010.jpg at ...4053...]
> <https://www.facebook.com/plymouthsciencepark>[image:
> cid:image011.jpg at ...4053...] <https://twitter.com/PlymSciencePark>[image:
> cid:image012.jpg at ...4053...]
> <https://www.linkedin.com/groups/Plymouth-Science-Park-2273525?trk=my_groups-b-grp-v>
>
>
>  ------------------------------
>
>
>  ------------------------------
> Plymouth Science Park Limited, 1 Davy Road, Plymouth, PL6 8BX. Registered
> in England No. 3157625 DISCLAIMER: This correspondence contains
> proprietary information, some or all of which may be legally privileged. It
> is for the intended recipient only. If an addressing or transmission error
> has misdirected this correspondence, please notify the author. If you are
> not the intended recipient you must not use, disclose, distribute, copy,
> print or rely on this correspondence. The contents, comments or views
> expressed within do not necessarily reflect those of Plymouth Science Park
> Ltd, its affiliates or associates and are not intended to create legal
> relations with the recipient. If you want to know more about Plymouth
> Science Park, visit us on the web at www.plymouthsciencepark.com or
> contact us on 01752 772200.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/3794741d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1104 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/3794741d/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6386 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/3794741d/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/3794741d/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1095 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150715/3794741d/attachment-0003.jpg>


More information about the Snort-sigs mailing list