[Bro] Unanswered http post
daniel.guerra69
daniel.guerra69 at gmail.com
Tue Jul 8 07:52:50 PDT 2014
Hi Robin,
The problem is the dpd signature. I thqink I need
a DPD signature that just matches on client side http.
I tried this simple example but this doesn't work
signature password-sig {
ip-proto == tcp
dst-port == 80
payload /.*password/
enable "http"
event "Found password!"
}
Could it be conflicting with the http dpd signature ?
Strings on the pcap shows the POST i seek.
On 07/07/2014 05:53 PM, Robin Sommer wrote:
> On Mon, Jul 07, 2014 at 17:21 +0200, daniel.guerra69 wrote:
>
>> I have an unanswered HTTP post, this post contains username and
>> password. The dpd signature only works when the post is answered.
> Generally the DPD signatures trigger only if there's something looking
> like the assumed protocol on either side of the connection; that's to
> avoid attacks where a client generates tons of bogus traffic without
> any server responding.
>
> A more specific answer to your question depends on what exactly
> "unanswered" means. If there's some reply from the server at all,
> maybe we could tweak the DPD signature to take that into account.
> Alternatively, you could add your own custom DPD signature that
> matches on just client side traffic if that's what you prefer.
>
> Robin
>
More information about the Bro
mailing list