[Snort-sigs] Content-Type: application/x-www-form-urlencoded allows bypass of my snort rule

강명훈 mhkang589 at ...2420...
Sun Jan 29 23:46:25 EST 2017


The file_data option sets the cursor used for detection to one of the
following buffers: 1. HTTP response body 2. SMTP/POP/IMAP data body.

If you want to restricts the search to the body of an HTTP client request,
try use content modifier http_client_body

2017-01-28 23:07 GMT+09:00 Avery Rozar <avery.rozar at ...4102...>:

> I'm trying to setup a rule to deny anyone that is not coming from $VPN_NET
> from attempting to log into word press.
>
> # in snort.conf
> ip var VPN_NET [cidr,cidr]
>
> # in local.rules
> drop tcp !$VPN_NET any -> $HOME_NET any (msg:"WordPress Login attempt";
> flow:to_server,established; file_data; content:"wp-login"; nocase; content:
> "POST"; nocase; http_method; classtype:misc-activity; sid:500001; rev:1;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;)
>
>
> This rule seems to stop anything unless the POST is using 'Content-Type:
> application/x-www-form-urlencoded'. What is the best way to allow snort
> to deal with urlencoded POSTs, or is my rule just jacked up?
>
>
> Thanks,
> Avery
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>



-- 
-----------------------
Kang Myoung-hun
-----------------------
+82-10 6604 6084
kangmyounghun.blogspot.kr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170130/23835afa/attachment.html>


More information about the Snort-sigs mailing list