实际上,我正在尝试使某些打喷嚏规则起作用。特别是我编写的xml规则。
我正在仔细研究SAML请求和响应。一个SAML请求可能看起来像这样:
SAMLRequest=pZNBj9owEIX%2FSm4%2BJcYQFrAIUgSqhLRtEWx72MvK6wys1cROPeNu%2Bu%2FrBGg57O6lp0jj5%2FnevHGWqJq6lWWgF7uHnwGQkhIRPBln185iaMAfwP8yGr7t7wv2QtSi5BxBBw%2BZVh4q12XaNTLPJ9z509PJu9ByMZmMeYidkPcMji3X534sKYm8eQ4EZ4KxpwtiayvoCjZlySY6MVb1Nv5BTRtxlrJGEYYfYpwF5OtY2rjucPjKEV2msO1Yst0U7Kla5CKfwiSdPefjNJ%2Brebq4Ox7TyUwvcq0Wo3keQVvEELlIylLBxiMxS0fTVIgHcSenuRyJR5Z8j1MMRsbZiCVdU1uU%2FVAFC95Kp9CgtKoBlKTlofx8L6NQqmuOt1faj%2B%2B03pHTrmarZa%2BWgzu%2F%2Bp%2FUGyBVKVJLfttxeV78l%2Bhgu9m52ujfSVnX7nXtQREUjHyIm%2FrkfAz7fc8iE0PFVOlxkMpgsQVtjgYqxq%2BYy9OCanhocesEHSVr18SFGuyThU5puk59q1rXMcc9HFcfRq2l7nWxvIufV%2BerXUwSdEQ%2BeBUtOU%2BXAN5sfj57x%2Bjf09vfZPUH
SAMLRequest值以以下方式编码:
URL(BASE64(deflate(XML)))
因此编码后的请求为:
> <samlp:AuthnRequest
> AssertionConsumerServiceURL='https://secure.caredox.com:443/org_group/1332/users/saml/sp/consume' AttributeConsumingServiceIndex='5'
> Destination='https://iparent.matsuk12.us/CareDoxSSO/sso.aspx'
> ID='_d94145e3-7b42-48a8-96ff-37c94ca90845'
> IssueInstant='2017-05-11T16:54:01Z' Version='2.0'
> xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'
> xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>https://secure.caredox.com:443/org_group/1332/users/saml/sp/metadata</saml:Issuer><samlp:NameIDPolicy
> AllowCreate='true'
> Format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'/><samlp:RequestedAuthnContext
> Comparison='exact'><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>
现在我的问题是,据我所知,我的Snort(运行在安全洋葱中)无法解码这些请求(或响应)。
有没有办法使Snort解码此类请求并将规则应用于编码后的值?
感谢您的帮助!