Snort mailing list archives
Re: http_header rule
From: Bad Horse <b4dh0rs3 () gmail com>
Date: Thu, 8 Sep 2011 13:00:09 -0500
You mean like an empty header? Something like: content:"\: |0D 0A|"; http_header; You can also add a PCRE although I don't think it necessary. This allows for zero or more whitespaces after the colon: pcre:"/\x0D\x0A[^\x3A]+\x3A\s*\x0D\x0A/H"; This would match: Host: zombo.com Keep-Alive: Accept-Language: en-US If you want a truly blank header, that may not be possible depending on what you mean by \n. Do you mean 0x0D 0x0A or just 0x0A? Do you have a traffic snippet of what you wish to alert on? -Bad Horse The Thoroughbred of SYN On Thu, Sep 8, 2011 at 8:22 AM, <vincent () ragosta net> wrote:
Is it possible to create a Snort signature to find a http header with only the '\n' character in it? I know there is an http_header rule option, but I am uncertain how to craft the rule such that it will trigger on ONLY the contents of '\n'. Thanks. ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- http_header rule vincent (Sep 08)
- Re: http_header rule Bad Horse (Sep 08)