[Snort-users] HTTP preprocessor and POST data
Parker_Crook at ...14786...
Thu Mar 25 14:45:29 EDT 2010
You can definitely use the (content:"POST"; http_method;) to alert only on POST data; however for the data normalization, I'm having a brain-fart right now... maybe somebody else knows, perhaps content:"<match_string>"; http_uri; pcre:"<more specific criteria>";
From: Xavi Garcia [mailto:xavi.garcia at ...11827...]
Sent: Thursday, March 25, 2010 2:27 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] HTTP preprocessor and POST data
I am learning how HTTP Inspect works and also trying
to write some rules that use normalized data. I think that
all is explained in the documentation and you have done
a great job, but I have a doubt regarding the POST data.
I am sure that my question is too obvious, but I have tried
to find the right answer by myself without luck. :)
I see that the newer versions of Snort permit to normalize
data from the URI, headers, cookies and the body, but there
is nothing about the POST data. I have tried to use the
different modifiers for "content" without luck.
I understand that POST data cannot be normalized, but
there is no mention in the documentation. Am I wrong?
In that case, which is the best practice when I want to
detect an attack that is using POST instead of GET?
Thank you very much for your help :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users