Snort mailing list archives
Problem with http_header content modifier
From: Frederico Araujo <araujof () gmail com>
Date: Fri, 10 Jul 2015 11:41:43 -0400
Hi, Snort is not firing alerts when I use the http modifier http_header. I have a very simple test rule that matches on a string that I set on a HTTP request header, and the alert only fires if I remove http_header from the rule. This is my http_inspect configuration: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: \ server default profile apache \ ports { 80 8080 } \ post_depth 65495 \ client_flow_depth 1460 \ normalize_headers \ normalize_cookies This is the rule I tested: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Test HTTP Headers"; content:"test"; fast_pattern:only; *http_header*; sid:10000001; rev:1;) And this is the test request that triggers the alert when I remove http_header (from another machine): curl -A "test" http://<target IP>/cgi-bin/test-cgi I have Snort 2.9.7.3 setup on a Ubuntu 14.04 VM running on VMWare Workstation with a NAT-configured nic. Any ideas why http_header is not working for me? Thanks, Fred
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier waldo kitty (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier waldo kitty (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier Frederico Araujo (Jul 10)
- Re: Problem with http_header content modifier waldo kitty (Jul 10)