Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_header

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 23 Jul 2012 17:06:24 -0400
On Jul 23, 2012, at 4:37 PM, Andrew Torres <aatorres19 () gmail com> wrote:


Does the http_header option include data the request, I would like to write a signature  that looks both in the uri 
and the headers and was hoping I could do it with just one modifier instead of two.


Right now, http_header looks at the whole header, except for things in the Cookie field (http_cookie), the URI 
(http_uri) the status code (http_stat_code) and the method (http_method).  So to do what you are asking you'll need two 
content matches each with their own modifier.

This will change somewhat for the better in a future release of Snort, but for now, that's what you have.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: