Snort mailing list archives
Re: Using within after http_headers
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 30 Apr 2010 14:21:15 -0500
Correct. Since this is a normalized field (similar to uricontent), you can't have a relative statement to a normalized http field like that. This is as designed.
This is not entirely accurate ;-)... For example some of the spyware-put rules mix uricontent,content and distance:0 Also from my tests you can mix http_client_body and http_uri with distance and within, but it fails always for cookie and header. Also with http_uri just like uricontent if you encode the url distance and within doesn't work. Regards, Will On Fri, Apr 30, 2010 at 11:47 AM, Joel Esler <jesler () sourcefire com> wrote:
On Fri, Apr 30, 2010 at 12:35 PM, Mike Cox <mike.cox52 () gmail com> wrote:I'm testing some rules and it seems that using the within content modifier on a content match that is relative to a previous content match and uses the http_headers content modifier does not work. For example, this is the original rule that is not alerting: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; http_header; content:!"google.com"; nocase; within:50; classtype:bad-unknown; rev:1; sid:7500010;) But if I remove the within OR the http_header content modifiers, the rule alerts. So both these alert: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; content:!"google.com"; nocase; within:50; classtype:bad-unknown; rev:1; sid:7500010;) alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; http_header; content:!"google.com"; nocase; classtype:bad-unknown; rev:1; sid:7500010;) Is there some weird stuff going on with the HTTP header buffer such that subsequent within content modifiers don't work? If so, is this as designed? Thanks. -Mike Cox ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Using within after http_headers Mike Cox (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Alex Kirk (May 03)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)