Hi,
I have an unanswered HTTP post, this post contains username and
password. The dpd signature only works when the post is answered.
Is there a way to deal with this ? I would like to see it in my http.log.
Regards,
Daniel
Generally the DPD signatures trigger only if there's something looking
like the assumed protocol on either side of the connection; that's to
avoid attacks where a client generates tons of bogus traffic without
any server responding.
A more specific answer to your question depends on what exactly
"unanswered" means. If there's some reply from the server at all,
maybe we could tweak the DPD signature to take that into account.
Alternatively, you could add your own custom DPD signature that
matches on just client side traffic if that's what you prefer.
Robin
The attached policy performs regular expression matching on http post bodies, and raises a notice on regular expression match. By default it looks for passwd|password (upper or lower case) in the body - not quite exactly what you requested, but should get you part of the way.
Hope this helps
http-sensitive_POSTs.bro (2.82 KB)
Hi Robin,
The problem is the dpd signature. I thqink I need
a DPD signature that just matches on client side http.
I tried this simple example but this doesn't work
signature password-sig {
ip-proto == tcp
dst-port == 80
payload /.*password/
enable "http"
event "Found password!"
}
Could it be conflicting with the http dpd signature ?
Strings on the pcap shows the POST i seek.