[Emerging-Sigs] question about POST vars...
eoin.miller at trojanedbinaries.com
Thu Oct 14 18:20:16 EDT 2010
On 10/14/2010 9:42 PM, waldo kitty wrote:
> i'm working on updating a few of my sigs to use the http_* stuff and am slightly
> confused about something...
> in a GET, all of the vars are in the uricontent, right?
> but in a POST, the only part that is uricontent is the name of the url being
> posted to and the vars of that post are simply content??
In a GET it is all in the http_uri, in a POST (which is the only method
people should really be using to transmit data to a web application) all
of the variables being delivered to the server will be in
http_client_body. In order for you to be able to use the
http_client_body content search modifier, I believe you must have
post_depth inside of your http_inspect section of your snort.conf file.
This is the configuration you should have (comes with Snort >2.9.0 or
all VRT rule packs in recent memory). More about this is gone over here:
I'll be trying to do a writeup on the usage of writing signatures with
these http_inspect buffers in the near future but I have another
presentation I am working on for a confrence currently.
More information about the Emerging-sigs