Problem with http_header content modifier

[Frederico Araujo <araujof () gmail com>]

Hi,

Snort is not firing alerts when I use the http modifier http_header. I have
a very simple test rule that matches on a string that I set on a HTTP
request header, and the alert only fires if I remove http_header from the
rule.

This is my http_inspect configuration:

preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: \
 server default profile apache \
 ports { 80 8080  }  \
 post_depth 65495 \
 client_flow_depth 1460 \
 normalize_headers \
 normalize_cookies

This is the rule I tested:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Test HTTP
Headers"; content:"test"; fast_pattern:only; *http_header*; sid:10000001;
rev:1;)

And this is the test request that triggers the alert when I remove
http_header (from another machine):

curl -A "test" http://<target IP>/cgi-bin/test-cgi

I have Snort 2.9.7.3 setup on a Ubuntu 14.04 VM running on VMWare
Workstation with a NAT-configured nic.

Any ideas why http_header is not working for me?

Thanks,
Fred

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!