Snort mailing list archives
s/file_data/http_client_body?
From: Duane Howard <duane.security () gmail com>
Date: Tue, 22 Sep 2015 11:29:23 -0700
Should this rule: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established; *file_data*; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:35852; rev:1;) actually be: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established; *http_client_body*; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:35852; rev:1;)
From my quick read of the manual file_data for http traffic would map to
the HTTP response body, from teh server, instead of the client body to the server. I *think* this rule is trying to find JPEG's POSTed (or similar) to a server in my HOME_NET. Will file_data actually work in this case?
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- s/file_data/http_client_body? Duane Howard (Sep 22)