Snort mailing list archives

Re: snort rule to detect HTTP POST data

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Tue, 3 Apr 2018 08:57:40 +0000

Hello,

     Do you have a pcap of the traffic that you can share?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org> on behalf of "Joel Esler (jesler) via Snort-users" 
<snort-users () lists snort org>
Reply-To: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tuesday, April 3, 2018 at 12:57 AM
To: "Shah, Neeraj A. (IntlCtr)" <neeraj.shah () nist gov>
Cc: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] snort rule to detect HTTP POST data

Betting it's how you have your variables configured in your snort.conf



On Mar 28, 2018, at 3:27 PM, Shah, Neeraj A. (IntlCtr) via Snort-users <snort-users () lists snort 
org<mailto:snort-users () lists snort org>> wrote:



Hello All,

Looking for help for creating a rule which can alert when a default password is sent across HTTP session. I am trying 
to capture when someone logs in to http://ip-addr<http://ip-addr/> of my switch web UI with default password.  I have 
tried the below rules and none of them are working. I can see the default pwd password in cleartext in the pcap file 
yet snort is not alerting. Is it because snort handles HTTP FORM POST data differently?


alert tcp $HOME_NET any ->  $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "pwd=password" ; 
nocase; sid:10000009;rev:1;)
alert tcp $HOME_NET any ->  $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password" ; content: "password"; nocase; 
sid:10000009;rev:1;)

alert tcp $HOME_NET any ->  $NETWORK_DEVICES 80 (msg: " WEBAPP Netgear Default Password"; flow:established,to_server; 
content:"POST"; nocase; http_method; uricontent:"/base/cheetah_login.html "; content:"password"; nocase; 
sid:10000009;rev:1;)


Below is a snippet of PCAP file.

<image001.png>

Thanks in advance
Neeraj
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: snort rule to detect HTTP POST data Joel Esler (jesler) via Snort-users (Apr 02)
- Re: snort rule to detect HTTP POST data Al Lewis (allewi) via Snort-users (Apr 03)
- <Possible follow-ups>
- Re: snort rule to detect HTTP POST data Neeraj Shah (Apr 03)