Snort mailing list archives
Re: http_header
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 23 Jul 2012 17:06:24 -0400
On Jul 23, 2012, at 4:37 PM, Andrew Torres <aatorres19 () gmail com> wrote:
Does the http_header option include data the request, I would like to write a signature that looks both in the uri and the headers and was hoping I could do it with just one modifier instead of two.
Right now, http_header looks at the whole header, except for things in the Cookie field (http_cookie), the URI (http_uri) the status code (http_stat_code) and the method (http_method). So to do what you are asking you'll need two content matches each with their own modifier. This will change somewhat for the better in a future release of Snort, but for now, that's what you have. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_header Andrew Torres (Jul 23)
- Re: http_header Joel Esler (Jul 23)