Snort mailing list archives
Re: Need help with byte_test
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 12 Feb 2013 19:15:22 -0500
Write a rule for "content-length" and deploy it, you'd be surprised. On Feb 12, 2013, at 2:20 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 2/12/2013 13:50, Jeremy Hoel wrote:I believe you could add a 'no-case' so that it checked content-length and Content-Length, correct?sure one could do that but why? i'm not aware of any other format than "Content-Length:" being proper and allowed for... one might write a rule for the other variants to catch them as being invalid so that followup on the traffic can be performed...Some of the options tend to get a bit confusing. hehehahaha... yep, at times :POn Tue, Feb 12, 2013 at 5:53 PM, waldo kitty<wkitty42 () windstream net> wrote:On 2/12/2013 01:46, sandeep mlist wrote:Hi, I need to test if a content-length is zero. Here is the response "HTTP/1.1 200 OK Date: Wed, 23 Jan 2013 23:44:06 GMT Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7 Last-Modified: Wed, 23 Jan 2013 23:39:47 GMT ETag: "0-4d3fd35aaeb66" Accept-Ranges: bytes Content-Length: 0" I am checking for "content:"|0a|content-length:" and i need to test if length is zero using byte_test. Please help me.firstly, there is a difference between "Content-Length:" and "content-length:"... ensure that detection of "Content-Length:" is accurate and then move to the next step of checking the number...------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Need help with byte_test sandeep mlist (Feb 11)
- Re: Need help with byte_test Joel Esler (Feb 12)
- Re: Need help with byte_test waldo kitty (Feb 12)
- Re: Need help with byte_test Jeremy Hoel (Feb 12)
- Re: Need help with byte_test waldo kitty (Feb 12)
- Re: Need help with byte_test Joel Esler (Feb 12)
- Re: Need help with byte_test Jeremy Hoel (Feb 12)