Snort mailing list archives
Re: http_header not working
From: Mitesh Jadia <mitesh.jadia () gmail com>
Date: Mon, 29 Sep 2014 19:10:55 +0530
Hello, As per my understanding... Following signature alert ip any any -> any any (content:"test"; http_header; msg:"Test Signature"; sid:"9999998"; rev:1); will not trigger because content "test" in your GET request will not be the part of http_header field. http_uri and http_raw_uri are proper keywords to match this content. alert ip any any -> any any (content:"test"; http_uri; msg:"Test Signature"; sid:"9999997"; rev:1); Logically you should use 'alert tcp' for this signature. However with alert ip this signature is working for me here. On Fri, Sep 26, 2014 at 5:59 PM, NIDS TEAM <nidsteam () gmail com> wrote:
Hi I just encounter a problem with the http_* keywords in Snort rules. There is a GET request to www.anywebsite.com/test The following signature triggers: alert ip any any -> any any (content:"test"; msg:"Test Signature"; sid:"9999999"; rev:1); The following signatures do not: alert ip any any -> any any (content:"test"; http_header; msg:"Test Signature"; sid:"9999998"; rev:1); alert ip any any -> any any (content:"test"; http_uri; msg:"Test Signature"; sid:"9999997"; rev:1); Does anyone have an idea why? I tested the behaviour with: - Security Onion - Snort 2.9.5.6 Default shipped configuration plus the above rules - Ubuntu Snort download off the shelf - Snort 2.9.6.0 - Latest and greatest compiled - Snort 2.9.6.2 There is always the same behaviour. Thanks already guido ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: http_header not working, (continued)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Stephen Gantz (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 29)
- Re: http_header not working waldo kitty (Sep 29)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 29)