[Emerging-Sigs] Snort s http_inspect and http_header - New Gotcha

waldo kitty wkitty42 at windstream.net
Thu Oct 14 18:35:53 EDT 2010

On 10/14/2010 17:34, Eoin Miller wrote:
> Now we know the order of the buffers in this is http_method (POST):
> ========================================================================
> 0000   50 4f 53 54                                      POST
> ========================================================================
> http_uri (/qwe/wert.php):
> ========================================================================
> 0000 2f 71 77 65 2f 77 65 72 74 2e 70       /qwe/wert.p
> 0010   68 70                                            hp
> ========================================================================

i'm trying to follow along with what you are doing to help me understand the new 
stuff and how i should be handling some POST stuff that i'm looking at... yes, 
i'm also trying to follow along in the cryptic(?) documentation but it leaves 
something to be desired...

i have a packet that looks like this (paraphrased ASCII only)...

POST /ucp.php?mode=login HTTP/1.0
Accept: */*
User-Agent: blah blah
Referer: blah blah
Content-Type: application/x-www-form-urlencoded
Host: foo.bar
Content-Length: xyz
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: val1=blah; val2=blah; val3=blah


what i'm trying to figure out is like you post above...

http_method == POST
http_uri    == /ucp.php  OR  /ucp.php?mode=login  ???
http_header == Accept, User-Agent, Referer, Content, Host, Content-Length, 
Proxy-Connection, Pragma
http_cookie == the Cookie: stuff
content     == varA, varB, varC, varD

the one i'm most confused about is the http_uri... which is it and if the first, 
does that make "mode=login" uricontent?

More information about the Emerging-sigs mailing list