lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <428C6DFF.9060608@xmcopartners.com>
Date: Thu May 19 11:44:01 2005
From: fcharpen at xmcopartners.com (Frederic Charpentier)
Subject: Content detection in html payload with snort ?

hi list,
I could not found an answer to my problem, so I ask the list :

I use snort to detect attackers playing with my web application.
I try to detect some specific text in html response, like "Bad User" ou 
" Warning Mysql Error". But snort stay blind.

Sample :
1 - Attacker   -> web-server : http://server/script.asp?param=' or 1=1--
2 - web-server -> attacker : 200 OK, ......<html>......datatype error....

I try to catch the string "datatype error" with a snort rule like that :

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack"; 
flow:from_server,established; content:"datatype error"; 
classtype:web-application-attack; sid:80005; rev:1;)	

But Snort never detects that.

I try with binary mode, same.
When I sniff with ethereal, the packet I try to catch is like that :

attcker    -> web-webser  : HTTP : GET  http://server/script.asp?param='
web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified 	
web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE)

If anyone have an idea ?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ