Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_header rule

From: Bad Horse <b4dh0rs3 () gmail com>
Date: Thu, 8 Sep 2011 13:00:09 -0500
You mean like an empty header?  Something like:

content:"\: |0D 0A|"; http_header;

You can also add a PCRE although I don't think it necessary.  This allows
for zero or more whitespaces after the colon:

pcre:"/\x0D\x0A[^\x3A]+\x3A\s*\x0D\x0A/H";

This would match:

Host: zombo.com
Keep-Alive:
Accept-Language: en-US

If you want a truly blank header, that may not be possible depending on what
you mean by \n.  Do you mean 0x0D 0x0A or just 0x0A?  Do you have a traffic
snippet of what you wish to alert on?

-Bad Horse
 The Thoroughbred of SYN

On Thu, Sep 8, 2011 at 8:22 AM, <vincent () ragosta net> wrote:


Is it possible to create a Snort signature to find a http header with only
the '\n' character in it?  I know there is an http_header rule option, but I
am uncertain how to craft the rule such that it will trigger on ONLY the
contents of '\n'.

Thanks.


------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops?   How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop 
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops?   How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: