Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Content detection in html payload with snort ?
From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Thu, 19 May 2005 12:44:15 +0200

hi list,
I could not found an answer to my problem, so I ask the list :

I use snort to detect attackers playing with my web application.
I try to detect some specific text in html response, like "Bad User" ou " Warning Mysql Error". But snort stay blind.

Sample :
1 - Attacker   -> web-server : http://server/script.asp?param=&apos; or 1=1--
2 - web-server -> attacker : 200 OK, ......<html>......datatype error....

I try to catch the string "datatype error" with a snort rule like that :

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"web-server attack"; flow:from_server,established; content:"datatype error"; classtype:web-application-attack; sid:80005; rev:1;)

But Snort never detects that.

I try with binary mode, same.
When I sniff with ethereal, the packet I try to catch is like that :

attcker    -> web-webser  : HTTP : GET  http://server/script.asp?param=&apos;
web-server -> attacker : HTTP : HTTP/1.1 304 Not Modified    
web-server -> attacker : HTTP : Continuation or non-HTTP traffic (*HERE)

If anyone have an idea ?

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]