[Snort-users] HTTP preprocessor and POST data

Crook, Parker Parker_Crook at ...14786...
Thu Mar 25 14:45:29 EDT 2010


You can definitely use the (content:"POST"; http_method;) to alert only on POST data; however for the data normalization, I'm having a brain-fart right now... maybe somebody else knows, perhaps content:"<match_string>"; http_uri; pcre:"<more specific criteria>";



From: Xavi Garcia [mailto:xavi.garcia at ...11827...]
Sent: Thursday, March 25, 2010 2:27 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] HTTP preprocessor and POST data


I am learning how HTTP Inspect works and also trying
to write some rules that use normalized data. I think that
all is explained in the documentation and you have done
a great job, but I have a doubt regarding the POST data.

I am sure that my question is too obvious, but I have tried
to find the right answer by myself without luck. :)

I see that the newer versions of Snort permit to normalize
data from the URI, headers, cookies and the body, but there
is nothing about the POST data. I have tried to use the
different modifiers for  "content" without luck.

I understand that POST data cannot be normalized, but
there is no mention in the documentation. Am I wrong?
In that case, which is the best practice when I want to
detect an attack that is using POST instead of GET?

Thank you very much for your help :)


Xavier Garcia

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100325/4bd9555d/attachment.html>

More information about the Snort-users mailing list