[Emerging-Sigs] Snort s http_inspect and http_header - New Gotcha
wkitty42 at windstream.net
Thu Oct 14 18:35:53 EDT 2010
On 10/14/2010 17:34, Eoin Miller wrote:
> Now we know the order of the buffers in this is http_method (POST):
> 0000 50 4f 53 54 POST
> http_uri (/qwe/wert.php):
> 0000 2f 71 77 65 2f 77 65 72 74 2e 70 /qwe/wert.p
> 0010 68 70 hp
i'm trying to follow along with what you are doing to help me understand the new
stuff and how i should be handling some POST stuff that i'm looking at... yes,
i'm also trying to follow along in the cryptic(?) documentation but it leaves
something to be desired...
i have a packet that looks like this (paraphrased ASCII only)...
POST /ucp.php?mode=login HTTP/1.0
User-Agent: blah blah
Referer: blah blah
Cookie: val1=blah; val2=blah; val3=blah
what i'm trying to figure out is like you post above...
http_method == POST
http_uri == /ucp.php OR /ucp.php?mode=login ???
http_header == Accept, User-Agent, Referer, Content, Host, Content-Length,
http_cookie == the Cookie: stuff
content == varA, varB, varC, varD
the one i'm most confused about is the http_uri... which is it and if the first,
does that make "mode=login" uricontent?
More information about the Emerging-sigs