[Snort-sigs] Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule

Avery Rozar avery.rozar at ...4102...
Sat Jan 28 11:34:58 EST 2017


That worked, thank you YM.

On Sat, Jan 28, 2017 at 9:42 AM, Y M <snort at ...3751...> wrote:

>
> You are using the file_data buffer, which as far as I know is used with
> responses, however, your rule is attempting to trigger on requests through
> the rule direction and the flow configuration, or at least that's what I am
> seeing. Please correct me if I misunderstood your question.
>
> If you remove the file_data from the rule, what happens?
>
> Also if you want to be more specific in your rule, you can add a content
> detection to detect the content-type header.
>
> YM
>
> _____________________________
> From: Avery Rozar <avery.rozar at ...4102...>
> Sent: Saturday, January 28, 2017 5:34 PM
> Subject: [Snort-sigs] Content-Type: application/x-www-form-urlencoded
> allows bypass of my snort rule
> To: <snort-sigs at lists.sourceforge.net>
>
>
>
> I'm trying to setup a rule to deny anyone that is not coming from $VPN_NET
> from attempting to log into word press.
>
> # in snort.conf
> ip var VPN_NET [cidr,cidr]
>
> # in local.rules
> drop tcp !$VPN_NET any -> $HOME_NET any (msg:"WordPress Login attempt";
> flow:to_server,established; file_data; content:"wp-login"; nocase; content:
> "POST"; nocase; http_method; classtype:misc-activity; sid:500001; rev:1;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;)
>
>
> This rule seems to stop anything unless the POST is using 'Content-Type:
> application/x-www-form-urlencoded'. What is the best way to allow snort
> to deal with urlencoded POSTs, or is my rule just jacked up?
>
>
> Thanks,
> Avery
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170128/88199e54/attachment.html>


More information about the Snort-sigs mailing list