Snort mailing list archives
Snort cannot detect HTTP OPTIONS payload
From: Maxim <hittlle () 163 com>
Date: Thu, 3 Nov 2016 14:28:45 +0800 (CST)
Hi all, Does anyone know how to match HTTP OPTIONS payload? Seems that snort doesn't support the detection of HTTP OPTIONS payload. I wrote the following rule alert tcp any any -> any any (content:"OPTIONS";nocase;http_method; pcre:"/A{10, }/iP"; sid:10000001;rev:1;classtype:web-application-attack;msg:"CVE-2010-0361";) and I used curl to send such a request curl -X OPTIONS -O '192.168.2.112' --data "AAAAAAAAAAAAAAAAAAAAAA" snort didn't trigger any alerts. Then I changed the rule to detect HTTP POST, and put it this way alert tcp any any -> any any (content:"POST";nocase;http_method; pcre:"/A{10, }/iP"; sid:10000001;rev:1;classtype:web-application-attack;msg:"CVE-2010-0361";) and used curl to send POST request curl -X POST -O '192.168.2.112' --data "AAAAAAAAAAAAAAAAAAAAAA" this time, snort triggered a alert, very strange. Am I missing anything? Many thanks.
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort cannot detect HTTP OPTIONS payload Maxim (Nov 02)