[Snort-users] HTTP preprocessor and POST data
xavi.garcia at ...11827...
Thu Mar 25 15:00:25 EDT 2010
Thank you for your fast answer.
As far I understand, http_uri works like uricontent.
It is useful to fix the the resource being requested
but then we have to match against the data. I have
only been able to do so when I use "content"
2010/3/25 Crook, Parker <Parker_Crook at ...14786...>
> You can definitely use the (content:”POST”; http_method;) to alert only on
> POST data; however for the data normalization, I’m having a brain-fart right
> now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri;
> pcre:”<more specific criteria>”;
> *From:* Xavi Garcia [mailto:xavi.garcia at ...11827...]
> *Sent:* Thursday, March 25, 2010 2:27 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] HTTP preprocessor and POST data
> I am learning how HTTP Inspect works and also trying
> to write some rules that use normalized data. I think that
> all is explained in the documentation and you have done
> a great job, but I have a doubt regarding the POST data.
> I am sure that my question is too obvious, but I have tried
> to find the right answer by myself without luck. :)
> I see that the newer versions of Snort permit to normalize
> data from the URI, headers, cookies and the body, but there
> is nothing about the POST data. I have tried to use the
> different modifiers for "content" without luck.
> I understand that POST data cannot be normalized, but
> there is no mention in the documentation. Am I wrong?
> In that case, which is the best practice when I want to
> detect an attack that is using POST instead of GET?
> Thank you very much for your help :)
> Xavier Garcia
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users