[Snort-sigs] HTML Form URL Encoded

강명훈 mhkang589 at ...2420...
Fri Jul 24 07:54:16 EDT 2015


Hi,

The content modifier http_client_body can search to the message_body.
And i think that write the URL encoded patterns as much as possible.

sample:)
content:"j_password"; nocase; http_client_body;
pcre:"/pw|%50%57|pass|%50%41%53%53|password|%50%41%53%53%57%4f%52%44/iP";

Best regards.

2015-07-16 1:19 GMT+09:00 Alex McDonnell <amcdonnell at ...435...>:

> If you have a packet, that's the best way for us to help troubleshoot your
> rule. Note that you don't have to turn _ into |5F| in your content match.
>
> thanks
> Alex McDonnell
> TALOS
>
> On Wed, Jul 15, 2015 at 11:44 AM, Steven Fitzpatrick <
> sfitzpatrick at ...4050...> wrote:
>
>>  Good afternoon,
>>
>>
>>
>> I captured a packet in wire shark to capture showing passwords being sent
>> in clear text so want to create an alert for this but having some issues.
>>
>>
>>
>> In the packet it’s got HTML Form URL encoded and then the various form
>> fields which one of these is Form Item: “j_password”
>>
>>
>>
>> My rule is:
>>
>>
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:""; flow:to_server;
>> content:"POST"; http_method; content:"j|5f|password"; nocase; sid:1000000;
>> rev:1;)
>>
>>
>>
>> I am new to rule writing so sure that above probably isn’t the best way
>> to go about it but it’s not triggering.
>>
>>
>>
>> Any ideas?
>>
>>
>>
>> Thanks
>>
>>
>>  ------------------------------
>>
>>
>>
>> [image: cid:image001.jpg at ...4051...]
>> <http://www.plymouthsciencepark.com/>
>>
>>
>>
>> *Steven Fitzpatrick*
>> ICT Support Technician
>>
>>
>>
>> *T:* 01752 762118
>> *E:* sfitzpatrick at ...4052...
>>
>>
>>
>> www.plymouthsciencepark.com
>>
>> [image: cid:image010.jpg at ...4053...]
>> <https://www.facebook.com/plymouthsciencepark>[image:
>> cid:image011.jpg at ...4053...] <https://twitter.com/PlymSciencePark>[image:
>> cid:image012.jpg at ...4053...]
>> <https://www.linkedin.com/groups/Plymouth-Science-Park-2273525?trk=my_groups-b-grp-v>
>>
>>
>>  ------------------------------
>>
>>
>>  ------------------------------
>> Plymouth Science Park Limited, 1 Davy Road, Plymouth, PL6 8BX. Registered
>> in England No. 3157625 DISCLAIMER: This correspondence contains
>> proprietary information, some or all of which may be legally privileged. It
>> is for the intended recipient only. If an addressing or transmission error
>> has misdirected this correspondence, please notify the author. If you are
>> not the intended recipient you must not use, disclose, distribute, copy,
>> print or rely on this correspondence. The contents, comments or views
>> expressed within do not necessarily reflect those of Plymouth Science Park
>> Ltd, its affiliates or associates and are not intended to create legal
>> relations with the recipient. If you want to know more about Plymouth
>> Science Park, visit us on the web at www.plymouthsciencepark.com or
>> contact us on 01752 772200.
>>
>>
>> ------------------------------------------------------------------------------
>> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support that
>> you need to offload your IT needs and focus on growing your business.
>> Configured For All Businesses. Start Your Cloud Today.
>> https://www.gigenetcloud.com/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 

*kangmyounghun.blogspot.kr <http://kangmyounghun.blogspot.kr/>*
*kr.linkedin.com/pub/myounghun-kang/74/238/93a*
<http://kr.linkedin.com/pub/myounghun-kang/74/238/93a>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150724/6178c6b9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1104 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150724/6178c6b9/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1095 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150724/6178c6b9/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150724/6178c6b9/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6386 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150724/6178c6b9/attachment-0003.jpg>


More information about the Snort-sigs mailing list