[Emerging-Sigs] question about POST vars...

Eoin Miller eoin.miller at trojanedbinaries.com
Thu Oct 14 18:20:16 EDT 2010

  On 10/14/2010 9:42 PM, waldo kitty wrote:
> i'm working on updating a few of my sigs to use the http_* stuff and am slightly
> confused about something...
> in a GET, all of the vars are in the uricontent, right?
> but in a POST, the only part that is uricontent is the name of the url being
> posted to and the vars of that post are simply content??
In a GET it is all in the http_uri, in a POST (which is the only method 
people should really be using to transmit data to a web application) all 
of the variables being delivered to the server will be in 
http_client_body. In order for you to be able to use the 
http_client_body content search modifier, I believe you must have 
post_depth inside of your http_inspect section of your snort.conf file. 
This is the configuration you should have (comes with Snort >2.9.0 or 
all VRT rule packs in recent memory). More about this is gone over here:


I'll be trying to do a writeup on the usage of writing signatures with 
these http_inspect buffers in the near future but I have another 
presentation I am working on for a confrence currently.

-- Eoin

More information about the Emerging-sigs mailing list