Snort mailing list archives
FN with http_header and pcreH followed by same http_header+distance0...
From: Rm Kml <rmkml () yahoo fr>
Date: Tue, 24 Jul 2012 22:35:20 +0100 (BST)
Hi, Someone check this on snort v2.9.3(.0) please? ok first test, snort not fire = FN alert tcp any any -> any 80 (msg:"test 1 FN"; flow:to_server,established; content:"linux-gnu"; nocase; http_header; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:1; rev:1;) -> but why ? ok second test, snort fire = good alert tcp any any -> any 80 (msg:"test 2 ok"; flow:to_server,established; content:"linux-gnu"; nocase; pcre:"/Wget/smi"; content:"linux-gnu"; nocase; distance:0; classtype:web-application-activity; sid:2; rev:1;) ok third test, snort fire = good alert tcp any any -> any 80 (msg:"test 3 ok"; flow:to_server,established; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:3; rev:1;) test with simple wget command: wget http://www.kernel.org/abc.html http request: GET /abc.html HTTP/1.0 User-Agent: Wget/1.12 (linux-gnu) ... Joigned wget example pcap file. Please Credits to rmkml. Suricata engine [OISF] fire every times, thx you. Regards Rmkml
Attachment:
testsnortfn.pcap
Description:
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FN with http_header and pcreH followed by same http_header+distance0... Rm Kml (Jul 24)
- Re: FN with http_header and pcreH followed by same http_header+distance0... Graham Bignell (Jul 24)
- Re: FN with http_header and pcreH followed by same http_header+distance0... Joel Esler (Jul 24)