[Snort-users] HTTP preprocessor and POST data

Xavi Garcia xavi.garcia at ...11827...
Thu Mar 25 15:00:25 EDT 2010


Hi,

Thank you for your fast answer.

As far I understand, http_uri  works like uricontent.
It is useful to fix the the resource being requested
but then we have to match against the data. I have
only been able to do so when I use "content"
without modifiers.

Regards,

Xavier Garcia

2010/3/25 Crook, Parker <Parker_Crook at ...14786...>

>  Xavi,
>
>
>
> You can definitely use the (content:”POST”; http_method;) to alert only on
> POST data; however for the data normalization, I’m having a brain-fart right
> now… maybe somebody else knows, perhaps content:”<match_string>”; http_uri;
> pcre:”<more specific criteria>”;
>
>
>
> -Parker
>
>
>  ------------------------------
>
> *From:* Xavi Garcia [mailto:xavi.garcia at ...11827...]
> *Sent:* Thursday, March 25, 2010 2:27 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] HTTP preprocessor and POST data
>
>
>
> Hi,
>
> I am learning how HTTP Inspect works and also trying
> to write some rules that use normalized data. I think that
> all is explained in the documentation and you have done
> a great job, but I have a doubt regarding the POST data.
>
> I am sure that my question is too obvious, but I have tried
> to find the right answer by myself without luck. :)
>
> I see that the newer versions of Snort permit to normalize
> data from the URI, headers, cookies and the body, but there
> is nothing about the POST data. I have tried to use the
> different modifiers for  "content" without luck.
>
> I understand that POST data cannot be normalized, but
> there is no mention in the documentation. Am I wrong?
> In that case, which is the best practice when I want to
> detect an attack that is using POST instead of GET?
>
> Thank you very much for your help :)
>
> Regards,
>
> Xavier Garcia
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100325/9052e13a/attachment.html>


More information about the Snort-users mailing list