Re: How to detect http response body

[Maxim <hittlle () 163 com>]

It's response body, not request body





--
发自我的网易邮箱手机智能版



在 2016-11-02 20:04:45，"Y M" <snort () outlook com> 写道：

Have you tried using the content modifier "http_client_body"? Also, If the string constantly appears at fixed offset, 
you can further optimize with content modifiers "offset" and "depth". These are all part of the documentation.


http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004511000000000000000


YM








On Wed, Nov 2, 2016 at 2:14 PM +0300, "Maxim" <hittlle () 163 com> wrote:


Hi all,
We came across a weird scenario. We used the following rule to detect http response body
  alert tcp any any -> $HOME_NET any ( sid: 10000003; file_data; content:"ASED"; nocase; rev:1; classtype: 
misc-activity;msg:"cve-test";)
And we do see such a string in the response body, but snort did not trigger any alerts. Are we missing anything? Many 
thanks




------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!