[Snort-users] Snort cannot detect HTTP OPTIONS payload

Maxim hittlle at ...7427...
Thu Nov 3 02:28:45 EDT 2016


Hi all, 
Does anyone know how to match HTTP OPTIONS payload? Seems that snort doesn't support the detection of HTTP OPTIONS payload. I wrote the following rule
               alert tcp any any -> any any (content:"OPTIONS";nocase;http_method; pcre:"/A{10, }/iP"; sid:10000001;rev:1;classtype:web-application-attack;msg:"CVE-2010-0361";)
and I used curl to send such a request
              curl -X OPTIONS -O '192.168.2.112' --data "AAAAAAAAAAAAAAAAAAAAAA"
snort didn't trigger any alerts. Then I changed the rule to detect HTTP POST, and put it this way
                 alert tcp any any -> any any (content:"POST";nocase;http_method; pcre:"/A{10, }/iP"; sid:10000001;rev:1;classtype:web-application-attack;msg:"CVE-2010-0361";)
and used curl to send POST request
                curl -X POST -O '192.168.2.112' --data "AAAAAAAAAAAAAAAAAAAAAA"
this time, snort triggered a alert, very strange. Am I missing anything?
Many thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161103/c90b134b/attachment.html>


More information about the Snort-users mailing list