[Snort-users] HTTP preprocessor and POST data
xavi.garcia at ...11827...
Thu Mar 25 14:26:38 EDT 2010
I am learning how HTTP Inspect works and also trying
to write some rules that use normalized data. I think that
all is explained in the documentation and you have done
a great job, but I have a doubt regarding the POST data.
I am sure that my question is too obvious, but I have tried
to find the right answer by myself without luck. :)
I see that the newer versions of Snort permit to normalize
data from the URI, headers, cookies and the body, but there
is nothing about the POST data. I have tried to use the
different modifiers for "content" without luck.
I understand that POST data cannot be normalized, but
there is no mention in the documentation. Am I wrong?
In that case, which is the best practice when I want to
detect an attack that is using POST instead of GET?
Thank you very much for your help :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users