Re: how to inspect http payload

["Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com>]

You must have file_data before content so it'll point to correct
buffer before looking for this content.

file_data; content: ....

Regards,

2012/5/25, 曾代科 <scybzdk () 163 com>:
> Hey there,
>
>
> I want to match the contents which included in  http payload  to the http
> payload that decompressed by snort .
>
>
> my suggestion is the following:
> alert tcp any 80 <> any any
> (msg:"message";content:"background";file_data;sid:1000001;)
>
>
> I can get the message on the console when I use wget command.
> eg: wget www.baidu.com
>
>
> But when I access the same website with browser I can't get the message.
> I know the http data compress by gzip,
> and I can print the data decompressed to the screen .
>
>
> why the snort can't match the content to the payload?
>
>
> The config file is the default snort.conf. I just add a rule in the file.
>
>
> how do I config the snort.conf ?
>
>
> i would appreciate any inspiration.
>
>
> cheers!

-- 
Enviado do meu celular

Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!