Snort mailing list archives
Re: http_header not working
From: NIDS TEAM <nidsteam () gmail com>
Date: Fri, 26 Sep 2014 16:45:08 +0200
- I was testing with www.brot.ch/de/sitemap.html thus the signature would check for the content "sitemap". - The tool which is used: wget, elinks the following HTTP request hits snort: GET http://www.brot.ch/de/sitemap.html HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: www.brot.ch Connection: Close Proxy-Connection: Keep-Alive - The "test" (resp. mail) string should be in the http_uri. But since it is not working with http_uri, I tried several other http_* modifiers and none of them worked: e.g.: content:"brot"; http_header; when accessing www.brot.ch/de/sitemap.html content:"sitemap"; http_uri; when accessing www.brot.ch/de/sitemap.html I just repeated the test from above, with the same results and also did it with the following request: GET http://www.google.com/mail HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: www.google.com Connection: Close Proxy-Connection: Keep-Alive The following payload triggered the alert this time: HTTP/1.1 301 Moved Permanently Location: https://mail.google.com/mail/ Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Fri, 26 Sep 2014 14:12:18 GMT Expires: Sun, 26 Oct 2014 14:12:18 GMT Cache-Control: public, max-age=2592000 Server: sffe Content-Length: 226 X-XSS-Protection: 1; mode=block Alternate-Protocol: 80:quic,p=0.002 X-Cache: MISS from prx-j225.open.ch Via: 1.1 prx-j225.open.ch (squid) Connection: keep-alive <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> ... This raises the assumption that hopefully I do not understand how http_uri and co work, or something is wrong here? Shouldn't it also match HTTP requests? Thanks guido
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Shirkdog (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Stephen Gantz (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 29)
- Re: http_header not working waldo kitty (Sep 29)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Shirkdog (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 29)