Snort mailing list archives
Re: HTML Form URL Encoded
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Wed, 15 Jul 2015 12:19:50 -0400
If you have a packet, that's the best way for us to help troubleshoot your rule. Note that you don't have to turn _ into |5F| in your content match. thanks Alex McDonnell TALOS On Wed, Jul 15, 2015 at 11:44 AM, Steven Fitzpatrick < sfitzpatrick () sciencepark org uk> wrote:
Good afternoon, I captured a packet in wire shark to capture showing passwords being sent in clear text so want to create an alert for this but having some issues. In the packet it’s got HTML Form URL encoded and then the various form fields which one of these is Form Item: “j_password” My rule is: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:""; flow:to_server; content:"POST"; http_method; content:"j|5f|password"; nocase; sid:1000000; rev:1;) I am new to rule writing so sure that above probably isn’t the best way to go about it but it’s not triggering. Any ideas? Thanks ------------------------------ [image: cid:image001.jpg@01CF4A6C.7393E770] <http://www.plymouthsciencepark.com/> *Steven Fitzpatrick* ICT Support Technician *T:* 01752 762118 *E:* sfitzpatrick () plymouthsciencepark com www.plymouthsciencepark.com [image: cid:image010.jpg@01CF3F6A.F9A8B460] <https://www.facebook.com/plymouthsciencepark>[image: cid:image011.jpg@01CF3F6A.F9A8B460] <https://twitter.com/PlymSciencePark>[image: cid:image012.jpg@01CF3F6A.F9A8B460] <https://www.linkedin.com/groups/Plymouth-Science-Park-2273525?trk=my_groups-b-grp-v> ------------------------------ ------------------------------ Plymouth Science Park Limited, 1 Davy Road, Plymouth, PL6 8BX. Registered in England No. 3157625 DISCLAIMER: This correspondence contains proprietary information, some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this correspondence, please notify the author. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this correspondence. The contents, comments or views expressed within do not necessarily reflect those of Plymouth Science Park Ltd, its affiliates or associates and are not intended to create legal relations with the recipient. If you want to know more about Plymouth Science Park, visit us on the web at www.plymouthsciencepark.com or contact us on 01752 772200. ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- HTML Form URL Encoded Steven Fitzpatrick (Jul 15)
- Re: HTML Form URL Encoded Alex McDonnell (Jul 15)
- Re: HTML Form URL Encoded 강명훈 (Jul 28)
- Re: HTML Form URL Encoded Alex McDonnell (Jul 15)