| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu May 19 11:44:01 2005 From: fcharpen at xmcopartners.com (Frederic Charpentier) Subject: Content detection in html payload with snort ? hi list, I could not found an answer to my problem, so I ask the list : I use snort to detect attackers playing with my web application. I try to detect some specific text in html response, like "Bad User" ou " Warning Mysql Error". But snort stay blind. Sample : 1 - Attacker -> web-server : http://server/script.asp?param=' or 1=1-- 2 - web-server -> attacker : 200 OK, ......<html>......datatype error.... I try to catch the string "datatype error" with a snort rule like that : alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack"; flow:from_server,established; content:"datatype error"; classtype:web-application-attack; sid:80005; rev:1;) But Snort never detects that. I try with binary mode, same. When I sniff with ethereal, the packet I try to catch is like that : attcker -> web-webser : HTTP : GET http://server/script.asp?param=' web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE) If anyone have an idea ?
Powered by blists - more mailing lists