rule?

[Frank Calone <fc10011001 () gmail com>]

I’m trying to alert when I find this pattern within say the first 15 bytes
of the file data of an http session.  My rule is not working and I don’t
know why.  I have a pcap file and am playing it back as follows:

snort –dvr  file1.pcap –c /etc/snort/snort.conf



The stats at the end show zero alerts.



Here is my rule:



 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"pcap file hit";
flow:to_client,established; content:"Content-Type: text/html"; http_header;
content:"|0d 0a|"; http_header; file_data; content:"|1f 2f|"; depth:15;
flowbits:set,tagged; tag:session,0,packets,1000,seconds; sid:3889999;
rev:0;)



so, I am looking for hex “1f 2f” within the first 15 bytes of the file data
of the http session.



The pcap data has the following info:

64 69 6E 67 3A 20 63 68 75 6E 6B 65 64 0D 0A 43  ding: chunked..C

6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78  ontent-Type: tex

74 2F 68 74 6D 6C 0D 0A 0D 0A 52 50 30 30 1F 2F  t/html....RP00./
18 56 61 88 18 1B 18 20 20 1C 20 18 18 E7 E7 18  .Va.............

Frank

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!